document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-13 22:30:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/bazz2/TranslateProject

Browse Source
This commit is contained in:
bazz2 2015-12-23 22:46:09 +08:00
commit b90ee18d95
29 changed files with 2957 additions and 1494 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

509
published/20150831 Linux workstation security checklist.md Normal file
View File

@ -0,0 +1,509 @@
来自 Linux 基金会内部的《Linux 工作站安全检查清单》
================================================================================
### 目标受众
这是一套 Linux 基金会为其系统管理员提供的推荐规范。
这个文档用于帮助那些使用 Linux 工作站来访问和管理项目的 IT 设施的系统管理员团队。
如果你的系统管理员是远程员工你也许可以使用这套指导方针确保系统管理员的系统可以通过核心安全需求降低你的IT 平台成为攻击目标的风险。
即使你的系统管理员不是远程员工,很多人也会在工作环境中通过便携笔记本完成工作,或者在家中设置系统以便在业余时间或紧急时刻访问工作平台。不论发生何种情况,你都能调整这个推荐规范来适应你的环境。
### 限制
但是这并不是一个详细的“工作站加固”文档可以说这是一个努力避免大多数明显安全错误而不会导致太多不便的一组推荐基线baseline。你也许阅读这个文档后会认为它的方法太偏执而另一些人也许会认为这仅仅是一些肤浅的研究。安全就像在高速公路上开车 -- 任何比你开的慢的都是一个傻瓜,然而任何比你开的快的人都是疯子。这个指南仅仅是一些列核心安全规则,既不详细又不能替代经验、警惕和常识。
我们分享这篇文档是为了[将开源协作的优势带到 IT 策略文献资料中][18]。如果你发现它有用,我们希望你可以将它用到你自己团体中,并分享你的改进,对它的完善做出你的贡献。
### 结构
每一节都分为两个部分:
- 核对适合你项目的需求
- 形式不定的提示内容,解释了为什么这么做
#### 严重级别
在清单的每一个项目都包括严重级别,我们希望这些能帮助指导你的决定:
- **关键ESSENTIAL** 该项应该在考虑列表上被明确的重视。如果不采取措施,将会导致你的平台安全出现高风险。
- **中等NICE** 该项将改善你的安全形势,但是会影响到你的工作环境的流程,可能会要求养成新的习惯,改掉旧的习惯。
- **低等PARANOID** 留作感觉会明显完善我们平台安全、但是可能会需要大量调整与操作系统交互的方式的项目。
记住,这些只是参考。如果你觉得这些严重级别不能反映你的工程对安全的承诺,你应该调整它们为你所合适的。
## 选择正确的硬件
我们并不会要求管理员使用一个特殊供应商或者一个特殊的型号,所以这一节提供的是选择工作系统时的核心注意事项。
### 检查清单
- [ ] 系统支持安全启动SecureBoot _(关键)_
- [ ] 系统没有火线Firewire雷电thunderbolt或者扩展卡ExpressCard接口 _(中等)_
- [ ] 系统有 TPM 芯片 _(中等)_
### 注意事项
#### 安全启动SecureBoot
尽管它还有争议但是安全引导能够预防很多针对工作站的攻击Rootkits、“Evil Maid”等等而没有太多额外的麻烦。它并不能阻止真正专门的攻击者加上在很大程度上国家安全机构有办法应对它可能是通过设计),但是有安全引导总比什么都没有强。
作为选择,你也许可以部署 [Anti Evil Maid][1] 提供更多健全的保护,以对抗安全引导所需要阻止的攻击类型,但是它需要更多部署和维护的工作。
#### 系统没有火线Firewire雷电thunderbolt或者扩展卡ExpressCard接口
火线是一个标准,其设计上允许任何连接的设备能够完全地直接访问你的系统内存(参见[维基百科][2])。雷电接口和扩展卡同样有问题,虽然一些后来部署的雷电接口试图限制内存访问的范围。如果你没有这些系统端口,那是最好的,但是它并不严重,它们通常可以通过 UEFI 关闭或内核本身禁用。
#### TPM 芯片
可信平台模块Trusted Platform Module TPM是主板上的一个与核心处理器单独分开的加密芯片它可以用来增加平台的安全性比如存储全盘加密的密钥不过通常不会用于日常的平台操作。充其量这个是一个有则更好的东西除非你有特殊需求需要使用 TPM 增加你的工作站安全性。
## 预引导环境
这是你开始安装操作系统前的一系列推荐规范。
### 检查清单
- [ ] 使用 UEFI 引导模式(不是传统 BIOS_(关键)_
- [ ] 进入 UEFI 配置需要使用密码 _(关键)_
- [ ] 使用安全引导 _(关键)_
- [ ] 启动系统需要 UEFI 级别密码 _(中等)_
### 注意事项
#### UEFI 和安全引导
UEFI 尽管有缺点,还是提供了很多传统 BIOS 没有的好功能,比如安全引导。大多数现代的系统都默认使用 UEFI 模式。
确保进入 UEFI 配置模式要使用高强度密码。注意,很多厂商默默地限制了你使用密码长度,所以相比长口令你也许应该选择高熵值的短密码(关于密码短语请参考下面内容)。
基于你选择的 Linux 发行版,你也许需要、也许不需要按照 UEFI 的要求,来导入你的发行版的安全引导密钥,从而允许你启动该发行版。很多发行版已经与微软合作,用大多数厂商所支持的密钥给它们已发布的内核签名,因此避免了你必须处理密钥导入的麻烦。
作为一个额外的措施在允许某人访问引导分区然后尝试做一些不好的事之前让他们输入密码。为了防止肩窥shoulder-surfing这个密码应该跟你的 UEFI 管理密码不同。如果你经常关闭和启动,你也许不想这么麻烦,因为你已经必须输入 LUKS 密码了LUKS 参见下面内容),这样会让你您减少一些额外的键盘输入。
## 发行版选择注意事项
很有可能你会坚持一个广泛使用的发行版如 FedoraUbuntuArchDebian或它们的一个类似发行版。无论如何以下是你选择使用发行版应该考虑的。
### 检查清单
- [ ] 拥有一个强健的 MAC/RBAC 系统SELinux/AppArmor/Grsecurity _(关键)_
- [ ] 发布安全公告 _(关键)_
- [ ] 提供及时的安全补丁 _(关键)_
- [ ] 提供软件包的加密验证 _(关键)_
- [ ] 完全支持 UEFI 和安全引导 _(关键)_
- [ ] 拥有健壮的原生全磁盘加密支持 _(关键)_
### 注意事项
#### SELinuxAppArmor和 GrSecurity/PaX
强制访问控制Mandatory Access ControlsMAC或者基于角色的访问控制Role-Based Access ControlsRBAC是一个用在老式 POSIX 系统的基于用户或组的安全机制扩展。现在大多数发行版已经捆绑了 MAC/RBAC 系统FedoraUbuntu或通过提供一种机制一个可选的安装后步骤来添加它GentooArchDebian。显然强烈建议您选择一个预装 MAC/RBAC 系统的发行版,但是如果你对某个没有默认启用它的发行版情有独钟,装完系统后应计划配置安装它。
应该坚决避免使用不带任何 MAC/RBAC 机制的发行版,像传统的 POSIX 基于用户和组的安全在当今时代应该算是考虑不足。如果你想建立一个 MAC/RBAC 工作站,通常认为 AppArmor 和 PaX 比 SELinux 更容易掌握。此外在工作站上很少有或者根本没有对外监听的守护进程而针对用户运行的应用造成的最高风险GrSecurity/PaX _可能_ 会比SELinux 提供更多的安全便利。
#### 发行版安全公告
大多数广泛使用的发行版都有一个给它们的用户发送安全公告的机制,但是如果你对一些机密感兴趣,去看看开发人员是否有见于文档的提醒用户安全漏洞和补丁的机制。缺乏这样的机制是一个重要的警告信号,说明这个发行版不够成熟,不能被用作主要管理员的工作站。
#### 及时和可靠的安全更新
多数常用的发行版提供定期安全更新但应该经常检查以确保及时提供关键包更新。因此应避免使用附属发行版spin-offs和“社区重构”因为它们必须等待上游发行版先发布它们经常延迟发布安全更新。
现在很难找到一个不使用加密签名、更新元数据或二者都不使用的发行版。如此说来常用的发行版在引入这个基本安全机制就已经知道这些很多年了Arch说你呢所以这也是值得检查的。
#### 发行版支持 UEFI 和安全引导
检查发行版是否支持 UEFI 和安全引导。查明它是否需要导入额外的密钥或是否要求启动内核有一个已经被系统厂商信任的密钥签名(例如跟微软达成合作)。一些发行版不支持 UEFI 或安全启动但是提供了替代品来确保防篡改tamper-proof或防破坏tamper-evident引导环境[Qubes-OS][3] 使用 Anti Evil Maid前面提到的。如果一个发行版不支持安全引导也没有防止引导级别攻击的机制还是看看别的吧。
#### 全磁盘加密
全磁盘加密是保护静止数据的要求,大多数发行版都支持。作为一个选择方案,带有自加密硬盘的系统也可以用(通常通过主板 TPM 芯片实现),并提供了类似安全级别而且操作更快,但是花费也更高。
## 发行版安装指南
所有发行版都是不同的,但是也有一些一般原则:
### 检查清单
- [ ] 使用健壮的密码全磁盘加密LUKS _(关键)_
- [ ] 确保交换分区也加密了 _(关键)_
- [ ] 确保引导程序设置了密码可以和LUKS一样 _(关键)_
- [ ] 设置健壮的 root 密码可以和LUKS一样 _(关键)_
- [ ] 使用无特权账户登录,作为管理员组的一部分 _(关键)_
- [ ] 设置健壮的用户登录密码,不同于 root 密码 _(关键)_
### 注意事项
#### 全磁盘加密
除非你正在使用自加密硬盘,配置你的安装程序完整地加密所有存储你的数据与系统文件的磁盘很重要。简单地通过自动挂载的 cryptfs 环loop文件加密用户目录还不够说你呢旧版 Ubuntu这并没有给系统二进制文件或交换分区提供保护它可能包含大量的敏感数据。推荐的加密策略是加密 LVM 设备,以便在启动过程中只需要一个密码。
`/boot`分区将一直保持非加密,因为引导程序需要在调用 LUKS/dm-crypt 前能引导内核自身。一些发行版支持加密的`/boot`分区,比如 [Arch][16],可能别的发行版也支持,但是似乎这样增加了系统更新的复杂度。如果你的发行版并没有原生支持加密`/boot`也不用太在意,内核镜像本身并没有什么隐私数据,它会通过安全引导的加密签名检查来防止被篡改。
#### 选择一个好密码
现代的 Linux 系统没有限制密码口令长度,所以唯一的限制是你的偏执和倔强。如果你要启动你的系统,你将大概至少要输入两个不同的密码:一个解锁 LUKS 另一个登录所以长密码将会使你老的更快。最好从丰富或混合的词汇中选择2-3个单词长度容易输入的密码。
优秀密码例子(是的,你可以使用空格):
- nature abhors roombas
- 12 in-flight Jebediahs
- perdon, tengo flatulence
如果你喜欢输入可以在公开场合和你生活中能见到的句子,比如:
- Mary had a little lamb
- you're a wizard, Harry
- to infinity and beyond
如果你愿意的话,你也应该带上最少要 10-12个字符长度的非词汇的密码。
除非你担心物理安全,你可以写下你的密码,并保存在一个远离你办公桌的安全的地方。
#### Root用户密码和管理组
我们建议,你的 root 密码和你的 LUKS 加密使用同样的密码(除非你共享你的笔记本给信任的人,让他应该能解锁设备,但是不应该能成为 root 用户)。如果你是笔记本电脑的唯一用户,那么你的 root 密码与你的 LUKS 密码不同是没有安全优势上的意义的。通常,你可以使用同样的密码在你的 UEFI 管理,磁盘加密,和 root 登录中 -- 知道这些任意一个都会让攻击者完全控制您的系统,在单用户工作站上使这些密码不同,没有任何安全益处。
你应该有一个不同的,但同样强健的常规用户帐户密码用来日常工作。这个用户应该是管理组用户(例如`wheel`或者类似,根据发行版不同),允许你执行`sudo`来提升权限。
换句话说如果在你的工作站只有你一个用户你应该有两个独特的、强健robust而强壮strong的密码需要记住
**管理级别**,用在以下方面:
- UEFI 管理
- 引导程序GRUB
- 磁盘加密LUKS
- 工作站管理root 用户)
**用户级别**,用在以下:
- 用户登录和 sudo
- 密码管理器的主密码
很明显,如果有一个令人信服的理由的话,它们全都可以不同。
## 安装后的加固
安装后的安全加固在很大程度上取决于你选择的发行版,所以在一个像这样的通用文档中提供详细说明是徒劳的。然而,这里有一些你应该采取的步骤:
### 检查清单
- [ ] 在全局范围内禁用火线和雷电模块 _(关键)_
- [ ] 检查你的防火墙,确保过滤所有传入端口 _(关键)_
- [ ] 确保 root 邮件转发到一个你可以收到的账户 _(关键)_
- [ ] 建立一个系统自动更新任务,或更新提醒 _(中等)_
- [ ] 检查以确保 sshd 服务默认情况下是禁用的 _(中等)_
- [ ] 配置屏幕保护程序在一段时间的不活动后自动锁定 _(中等)_
- [ ] 设置 logwatch _(中等)_
- [ ] 安装使用 rkhunter _(中等)_
- [ ] 安装一个入侵检测系统Intrusion Detection System _(中等)_
### 注意事项
#### 将模块列入黑名单
将火线和雷电模块列入黑名单,增加一行到`/etc/modprobe.d/blacklist-dma.conf`文件:
blacklist firewire-core
blacklist thunderbolt
重启后的这些模块将被列入黑名单。这样做是无害的,即使你没有这些端口(但也不做任何事)。
#### Root 邮件
默认的 root 邮件只是存储在系统基本上没人读过。确保你设置了你的`/etc/aliases`来转发 root 邮件到你确实能读取的邮箱,否则你也许错过了重要的系统通知和报告:
# Person who should get root's mail
root: bob@example.com
编辑后这些后运行`newaliases`,然后测试它确保能投递到,像一些邮件供应商将拒绝来自不存在的域名或者不可达的域名的邮件。如果是这个原因,你需要配置邮件转发直到确实可用。
#### 防火墙sshd和监听进程
默认的防火墙设置将取决于您的发行版,但是大多数都允许`sshd`端口连入。除非你有一个令人信服的合理理由允许连入 ssh你应该过滤掉它并禁用 sshd 守护进程。
systemctl disable sshd.service
systemctl stop sshd.service
如果你需要使用它,你也可以临时启动它。
通常,你的系统不应该有任何侦听端口,除了响应 ping 之外。这将有助于你对抗网络级的零日漏洞利用。
#### 自动更新或通知
建议打开自动更新,除非你有一个非常好的理由不这么做,如果担心自动更新将使您的系统无法使用(以前发生过,所以这种担心并非杞人忧天)。至少,你应该启用自动通知可用的更新。大多数发行版已经有这个服务自动运行,所以你不需要做任何事。查阅你的发行版文档了解更多。
你应该尽快应用所有明显的勘误,即使这些不是特别贴上“安全更新”或有关联的 CVE 编号。所有的问题都有潜在的安全漏洞和新的错误,比起停留在旧的、已知的问题上,未知问题通常是更安全的策略。
#### 监控日志
你应该会对你的系统上发生了什么很感兴趣。出于这个原因,你应该安装`logwatch`然后配置它每夜发送在你的系统上发生的任何事情的活动报告。这不会预防一个专业的攻击者,但是一个不错的安全网络功能。
注意,许多 systemd 发行版将不再自动安装一个“logwatch”所需的 syslog 服务(因为 systemd 会放到它自己的日志中所以你需要安装和启用“rsyslog”来确保在使用 logwatch 之前你的 /var/log 不是空的。
#### Rkhunter 和 IDS
安装`rkhunter`和一个类似`aide`或者`tripwire`入侵检测系统IDS并不是那么有用除非你确实理解它们如何工作并采取必要的步骤来设置正确例如保证数据库在外部介质从可信的环境运行检测记住执行系统更新和配置更改后要刷新散列数据库等等。如果你不愿在你的工作站执行这些步骤并调整你如何工作的方式这些工具只能带来麻烦而没有任何实在的安全益处。
我们建议你安装`rkhunter`并每晚运行它。它相当易于学习和使用,虽然它不会阻止一个复杂的攻击者,它也能帮助你捕获你自己的错误。
## 个人工作站备份
工作站备份往往被忽视,或偶尔才做一次,这常常是不安全的方式。
### 检查清单
- [ ] 设置加密备份工作站到外部存储 _(关键)_
- [ ] 使用零认知zero-knowledge备份工具备份到站外或云上 _(中等)_
### 注意事项
#### 全加密的备份存到外部存储
把全部备份放到一个移动磁盘中比较方便,不用担心带宽和上行网速(在这个时代,大多数供应商仍然提供显著的不对称的上传/下载速度)。不用说,这个移动硬盘本身需要加密(再说一次,通过 LUKS或者你应该使用一个备份工具建立加密备份例如`duplicity`或者它的 GUI 版本 `deja-dup`。我建议使用后者并使用随机生成的密码,保存到离线的安全地方。如果你带上笔记本去旅行,把这个磁盘留在家,以防你的笔记本丢失或被窃时可以找回备份。
除了你的家目录外,你还应该备份`/etc`目录和出于取证目的的`/var/log`目录。
尤其重要的是,避免拷贝你的家目录到任何非加密存储上,即使是需要快速的在两个系统上移动文件时,一旦完成你肯定会忘了清除它,从而暴露个人隐私或者安全信息到监听者手中 -- 尤其是把这个存储介质跟你的笔记本放到同一个包里。
#### 有选择的零认知站外备份
站外备份Off-site backup也是相当重要的是否可以做到要么需要你的老板提供空间要么找一家云服务商。你可以建一个单独的 duplicity/deja-dup 配置,只包括重要的文件,以免传输大量你不想备份的数据(网络缓存、音乐、下载等等)。
作为选择你可以使用零认知zero-knowledge备份工具例如 [SpiderOak][5],它提供一个卓越的 Linux GUI工具还有更多的实用特性例如在多个系统或平台间同步内容。
## 最佳实践
下面是我们认为你应该采用的最佳实践列表。它当然不是非常详细的,而是试图提供实用的建议,来做到可行的整体安全性和可用性之间的平衡。
### 浏览
毫无疑问, web 浏览器将是你的系统上最大、最容易暴露的面临攻击的软件。它是专门下载和执行不可信、甚至是恶意代码的一个工具。它试图采用沙箱和代码清洁code sanitization等多种机制保护你免受这种危险但是在之前它们都被击败了多次。你应该知道在任何时候浏览网站都是你做的最不安全的活动。
有几种方法可以减少浏览器的影响,但这些真实有效的方法需要你明显改变操作您的工作站的方式。
#### 1: 使用两个不同的浏览器 _(关键)_
这很容易做到,但是只有很少的安全效益。并不是所有浏览器都可以让攻击者完全自由访问您的系统 -- 有时它们只能允许某人读取本地浏览器存储,窃取其它标签的活动会话,捕获浏览器的输入等。使用两个不同的浏览器,一个用在工作/高安全站点,另一个用在其它方面,有助于防止攻击者请求整个 cookie 存储的小问题。主要的不便是两个不同的浏览器会消耗大量内存。
我们建议:
##### 火狐用来访问工作和高安全站点
使用火狐登录工作有关的站点,应该额外关心的是确保数据如 cookies会话登录信息击键等等明显不应该落入攻击者手中。除了少数的几个网站你不应该用这个浏览器访问其它网站。
你应该安装下面的火狐扩展:
- [ ] NoScript _(关键)_
- NoScript 阻止活动内容加载,除非是在用户白名单里的域名。如果用于默认浏览器它会很麻烦(可是提供了真正好的安全效益),所以我们建议只在访问与工作相关的网站的浏览器上开启它。
- [ ] Privacy Badger _(关键)_
- EFF 的 Privacy Badger 将在页面加载时阻止大多数外部追踪器和广告平台,有助于在这些追踪站点影响你的浏览器时避免跪了(追踪器和广告站点通常会成为攻击者的目标,因为它们能会迅速影响世界各地成千上万的系统)。
- [ ] HTTPS Everywhere _(关键)_
- 这个 EFF 开发的扩展将确保你访问的大多数站点都使用安全连接,甚至你点击的连接使用的是 http://(可以有效的避免大多数的攻击,例如[SSL-strip][7])。
- [ ] Certificate Patrol _(中等)_
- 如果你正在访问的站点最近改变了它们的 TLS 证书,这个工具将会警告你 -- 特别是如果不是接近失效期或者现在使用不同的证书颁发机构。它有助于警告你是否有人正尝试中间人攻击你的连接,不过它会产生很多误报。
你应该让火狐成为你打开连接时的默认浏览器,因为 NoScript 将在加载或者执行时阻止大多数活动内容。
##### 其它一切都用 Chrome/Chromium
Chromium 开发者在增加很多很好的安全特性方面走在了火狐前面(至少[在 Linux 上][6]),例如 seccomp 沙箱内核用户空间等等这会成为一个你访问的网站与你其它系统之间的额外隔离层。Chromium 是上游开源项目Chrome 是 Google 基于它构建的专有二进制包(加一句偏执的提醒,如果你有任何不想让谷歌知道的事情都不要使用它)。
推荐你在 Chrome 上也安装**Privacy Badger** 和 **HTTPS Everywhere** 扩展,然后给它一个与火狐不同的主题,以让它告诉你这是你的“不可信站点”浏览器。
#### 2: 使用两个不同浏览器,一个在专用的虚拟机里 _(中等)_
这有点像上面建议的做法,除了您将添加一个通过快速访问协议运行在专用虚拟机内部 Chrome 的额外步骤它允许你共享剪贴板和转发声音事件Spice 或 RDP。这将在不可信浏览器和你其它的工作环境之间添加一个优秀的隔离层确保攻击者完全危害你的浏览器将必须另外打破 VM 隔离层,才能达到系统的其余部分。
这是一个鲜为人知的可行方式,但是需要大量的 RAM 和高速的处理器来处理多增加的负载。这要求作为管理员的你需要相应地调整自己的工作实践而付出辛苦。
#### 3: 通过虚拟化完全隔离你的工作和娱乐环境 _(低等)_
了解下 [Qubes-OS 项目][3],它致力于通过划分你的应用到完全隔离的 VM 中来提供高度安全的工作环境。
### 密码管理器
#### 检查清单
- [ ] 使用密码管理器 _(关键)_
- [ ] 不相关的站点使用不同的密码 _(关键)_
- [ ] 使用支持团队共享的密码管理器 _(中等)_
- [ ] 给非网站类账户使用一个单独的密码管理器 _(低等)_
#### 注意事项
使用好的、唯一的密码对你的团队成员来说应该是非常关键的需求。凭证credential盗取一直在发生 — 通过被攻破的计算机、盗取数据库备份、远程站点利用、以及任何其它的方式。凭证绝不应该跨站点重用,尤其是关键的应用。
##### 浏览器中的密码管理器
每个浏览器有一个比较安全的保存密码机制,可以同步到供应商维护的,并使用用户的密码保证数据加密。然而,这个机制有严重的劣势:
1. 不能跨浏览器工作
2. 不提供任何与团队成员共享凭证的方法
也有一些支持良好、免费或便宜的密码管理器,可以很好的融合到多个浏览器,跨平台工作,提供小组共享(通常是付费服务)。可以很容易地通过搜索引擎找到解决方案。
##### 独立的密码管理器
任何与浏览器结合的密码管理器都有一个主要的缺点,它实际上是应用的一部分,这样最有可能被入侵者攻击。如果这让你不放心(应该这样),你应该选择两个不同的密码管理器 -- 一个集成在浏览器中用来保存网站密码,一个作为独立运行的应用。后者可用于存储高风险凭证如 root 密码、数据库密码、其它 shell 账户凭证等。
这样的工具在团队成员间共享超级用户的凭据方面特别有用(服务器 root 密码、ILO密码、数据库管理密码、引导程序密码等等
这几个工具可以帮助你:
- [KeePassX][8]在第2版中改进了团队共享
- [Pass][9],它使用了文本文件和 PGP并与 git 结合
- [Django-Pstore][10],它使用 GPG 在管理员之间共享凭据
- [Hiera-Eyaml][11],如果你已经在你的平台中使用了 Puppet在你的 Hiera 加密数据的一部分里面,可以便捷的追踪你的服务器/服务凭证。
### 加固 SSH 与 PGP 的私钥
个人加密密钥,包括 SSH 和 PGP 私钥,都是你工作站中最重要的物品 -- 这是攻击者最想得到的东西,这可以让他们进一步攻击你的平台或在其它管理员面前冒充你。你应该采取额外的步骤,确保你的私钥免遭盗窃。
#### 检查清单
- [ ] 用来保护私钥的强壮密码 _(关键)_
- [ ] PGP 的主密码保存在移动存储中 _(中等)_
- [ ] 用于身份验证、签名和加密的子密码存储在智能卡设备 _(中等)_
- [ ] SSH 配置为以 PGP 认证密钥作为 ssh 私钥 _(中等)_
#### 注意事项
防止私钥被偷的最好方式是使用一个智能卡存储你的加密私钥,绝不要拷贝到工作站上。有几个厂商提供支持 OpenPGP 的设备:
- [Kernel Concepts][12],在这里可以采购支持 OpenPGP 的智能卡和 USB 读取器,你应该需要一个。
- [Yubikey NEO][13],这里提供 OpenPGP 功能的智能卡还提供很多很酷的特性U2F、PIV、HOTP等等
确保 PGP 主密码没有存储在工作站也很重要,仅使用子密码。主密钥只有在签名其它的密钥和创建新的子密钥时使用 — 不经常发生这种操作。你可以照着 [Debian 的子密钥][14]向导来学习如何将你的主密钥移动到移动存储并创建子密钥。
你应该配置你的 gnupg 代理作为 ssh 代理,然后使用基于智能卡 PGP 认证密钥作为你的 ssh 私钥。我们发布了一个[详尽的指导][15]如何使用智能卡读取器或 Yubikey NEO。
如果你不想那么麻烦,最少要确保你的 PGP 私钥和你的 SSH 私钥有个强健的密码,这将让攻击者很难盗取使用它们。
### 休眠或关机,不要挂起
当系统挂起时内存中的内容仍然保留在内存芯片中可以会攻击者读取到这叫做冷启动攻击Cold Boot Attack。如果你离开你的系统的时间较长比如每天下班结束最好关机或者休眠而不是挂起它或者就那么开着。
### 工作站上的 SELinux
如果你使用捆绑了 SELinux 的发行版(如 Fedora这有些如何使用它的建议让你的工作站达到最大限度的安全。
#### 检查清单
- [ ] 确保你的工作站强制enforcing使用 SELinux _(关键)_
- [ ] 不要盲目的执行`audit2allow -M`,应该经常检查 _(关键)_
- [ ] 绝不要 `setenforce 0` _(中等)_
- [ ] 切换你的用户到 SELinux 用户`staff_u` _(中等)_
#### 注意事项
SELinux 是强制访问控制Mandatory Access ControlsMAC是 POSIX许可核心功能的扩展。它是成熟、强健自从它推出以来已经有很长的路了。不管怎样许多系统管理员现在仍旧重复过时的口头禅“关掉它就行”。
话虽如此,在工作站上 SELinux 会带来一些有限的安全效益,因为大多数你想运行的应用都是可以自由运行的。开启它有益于给网络提供足够的保护,也有可能有助于防止攻击者通过脆弱的后台服务提升到 root 级别的权限用户。
我们的建议是开启它并强制使用enforcing
##### 绝不`setenforce 0`
使用`setenforce 0`临时把 SELinux 设置为许可permissive模式很有诱惑力但是你应该避免这样做。当你想查找一个特定应用或者程序的问题时实际上这样做是把整个系统的 SELinux 给关闭了。
你应该使用`semanage permissive -a [somedomain_t]`替换`setenforce 0`,只把这个程序放入许可模式。首先运行`ausearch`查看哪个程序发生问题:
ausearch -ts recent -m avc
然后看下`scontext=`(源自 SELinux 的上下文)行,像这样:
scontext=staff_u:staff_r:gpg_pinentry_t:s0-s0:c0.c1023
^^^^^^^^^^^^^^
这告诉你程序`gpg_pinentry_t`被拒绝了,所以你想排查应用的故障,应该增加它到许可域:
semange permissive -a gpg_pinentry_t
这将允许你使用应用然后收集 AVC 的其它数据,你可以结合`audit2allow`来写一个本地策略。一旦完成你就不会看到新的 AVC 的拒绝消息,你就可以通过运行以下命令从许可中删除程序:
semanage permissive -d gpg_pinentry_t
##### 用 SELinux 的用户 staff_r 使用你的工作站
SELinux 带有角色role的原生实现基于用户帐户相关角色来禁止或授予某些特权。作为一个管理员你应该使用`staff_r`角色,这可以限制访问很多配置和其它安全敏感文件,除非你先执行`sudo`。
默认情况下,用户以`unconfined_r`创建你可以自由运行大多数应用没有任何或只有一点SELinux 约束。转换你的用户到`staff_r`角色,运行下面的命令:
usermod -Z staff_u [username]
你应该退出然后登录新的角色,届时如果你运行`id -Z`,你将会看到:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
在执行`sudo`时,你应该记住增加一个额外标志告诉 SELinux 转换到“sysadmin”角色。你需要用的命令是
sudo -i -r sysadm_r
然后`id -Z`将会显示:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
**警告**:在进行这个切换前你应该能很顺畅的使用`ausearch`和`audit2allow`,当你以`staff_r`角色运行时你的应用有可能不再工作了。在写作本文时,已知以下流行的应用在`staff_r`下没有做策略调整就不会工作:
- Chrome/Chromium
- Skype
- VirtualBox
切换回`unconfined_r`,运行下面的命令:
usermod -Z unconfined_u [username]
然后注销再重新回到舒适区。
## 延伸阅读
IT 安全的世界是一个没有底的兔子洞。如果你想深入,或者找到你的具体发行版更多的安全特性,请查看下面这些链接:
- [Fedora 安全指南](https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/index.html)
- [CESG Ubuntu 安全指南](https://www.gov.uk/government/publications/end-user-devices-security-guidance-ubuntu-1404-lts)
- [Debian 安全手册](https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html)
- [Arch Linux 安全维基](https://wiki.archlinux.org/index.php/Security)
- [Mac OSX 安全](https://www.apple.com/support/security/guides/)
## 许可
这项工作在[创作共用授权4.0国际许可证][0]许可下。
--------------------------------------------------------------------------------
via: https://github.com/lfit/itpol/blob/bbc17d8c69cb8eee07ec41f8fbf8ba32fdb4301b/linux-workstation-security.md
作者:[mricon][a]
译者:[wyangsun](https://github.com/wyangsun)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://github.com/mricon
[0]: http://creativecommons.org/licenses/by-sa/4.0/
[1]: https://github.com/QubesOS/qubes-antievilmaid
[2]: https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
[3]: https://qubes-os.org/
[4]: https://xkcd.com/936/
[5]: https://spideroak.com/
[6]: https://code.google.com/p/chromium/wiki/LinuxSandboxing
[7]: http://www.thoughtcrime.org/software/sslstrip/
[8]: https://keepassx.org/
[9]: http://www.passwordstore.org/
[10]: https://pypi.python.org/pypi/django-pstore
[11]: https://github.com/TomPoulton/hiera-eyaml
[12]: http://shop.kernelconcepts.de/
[13]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
[14]: https://wiki.debian.org/Subkeys
[15]: https://github.com/lfit/ssh-gpg-smartcard-config
[16]: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
[17]: https://en.wikipedia.org/wiki/Cold_boot_attack
[18]: http://www.linux.com/news/featured-blogs/167-amanda-mcpherson/850607-linux-foundation-sysadmins-open-source-their-it-policies

80
published/20151109 How to Monitor the Progress of a Linux Command Line Operation Using PV Command.md Normal file
View File

@ -0,0 +1,80 @@
如何使用 pv 命令监控 linux 命令的执行进度
================================================================================
![](https://www.maketecheasier.com/assets/uploads/2015/11/pv-featured-1.jpg)
如果你是一个 linux 系统管理员,那么毫无疑问你必须花费大量的工作时间在命令行上:安装和卸载软件,监视系统状态,复制、移动、删除文件,查错,等等。很多时候都是你输入一个命令,然后等待很长时间直到执行完成。也有的时候你执行的命令挂起了,而你只能猜测命令执行的实际情况。
通常 linux 命令不提供和进度相关的信息而这些信息特别重要尤其当你只有有限的时间时。然而这并不意味着你是无助的——现在有一个命令pv它会显示当前在命令行执行的命令的进度信息。在本文我们会讨论它并用几个简单的例子说明其特性。
### PV 命令 ###
[PV][1] 由Andrew Wood 开发,是 Pipe Viewer 的简称,意思是通过管道显示数据处理进度的信息。这些信息包括已经耗费的时间,完成的百分比(通过进度条显示),当前的速度,全部传输的数据,以及估计剩余的时间。
> "要使用 PV需要配合合适的选项把它放置在两个进程之间的管道。命令的标准输入将会通过标准输出传进来的而进度会被输出到标准错误输出。”
上述解释来自该命令的帮助页。
### 下载和安装 ###
Debian 系的操作系统,如 Ubuntu可以简单的使用下面的命令安装 PV
sudo apt-get install pv
如果你使用了其他发行版本,你可以使用各自的包管理软件在你的系统上安装 PV。一旦 PV 安装好了你就可以在各种场合使用它(详见下文)。需要注意的是下面所有例子都使用的是 pv 1.2.0。
### 特性和用法 ###
我们(在 linux 上使用命令行的用户)的大多数使用场景都会用到的命令是从一个 USB 驱动器拷贝电影文件到你的电脑。如果你使用 cp 来完成上面的任务,你会什么情况都不清楚,直到整个复制过程结束或者出错。
然而pv 命令在这种情景下很有帮助。比如:
pv /media/himanshu/1AC2-A8E3/fNf.mkv > ./Desktop/fnf.mkv
输出如下:
![pv-copy](https://www.maketecheasier.com/assets/uploads/2015/10/pv-copy.png)
所以,如你所见,这个命令显示了很多和操作有关的有用信息,包括已经传输了的数据量,花费的时间,传输速率,进度条,进度的百分比,以及剩余的时间。
`pv` 命令提供了多种显示选项开关。比如,你可以使用`-p` 来显示百分比,`-t` 来显示时间,`-r` 表示传输速率,`-e` 代表etaLCTT 译注:估计剩余的时间)。好事是你不必记住某一个选项,因为默认这几个选项都是启用的。但是,如果你只要其中某一个信息,那么可以通过控制这几个选项来完成任务。
这里还有一个`-n` 选项来允许 pv 命令显示整数百分比,在标准错误输出上每行显示一个数字,用来替代通常的可视进度条。下面是一个例子:
pv -n /media/himanshu/1AC2-A8E3/fNf.mkv > ./Desktop/fnf.mkv
![pv-numeric](https://www.maketecheasier.com/assets/uploads/2015/10/pv-numeric.png)
这个特殊的选项非常合适某些情境下的需求,如你想把用管道把输出传给[dialog][2] 命令。
接下来还有一个命令行选项,`-L` 可以让你修改 pv 命令的传输速率。举个例子,使用 -L 选项来限制传输速率为2MB/s。
pv -L 2m /media/himanshu/1AC2-A8E3/fNf.mkv > ./Desktop/fnf.mkv
![pv-ratelimit](https://www.maketecheasier.com/assets/uploads/2015/10/pv-ratelimit.png)
如上图所见,数据传输速度按照我们的要求被限制了。
另一个pv 可以帮上忙的情景是压缩文件。这里有一个例子可以向你解释如何与压缩软件Gzip 一起工作。
pv /media/himanshu/1AC2-A8E3/fnf.mkv | gzip > ./Desktop/fnf.log.gz
![pv-gzip](https://www.maketecheasier.com/assets/uploads/2015/10/pv-gzip.png)
### 结论 ###
如上所述pv 是一个非常有用的小工具,它可以在命令没有按照预期执行的情况下帮你节省你宝贵的时间。而且这些显示的信息还可以用在 shell 脚本里。我强烈的推荐你使用这个命令,它值得你一试。
--------------------------------------------------------------------------------
via: https://www.maketecheasier.com/monitor-progress-linux-command-line-operation/
作者:[Himanshu Arora][a]
译者:[ezio](https://github.com/oska874)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.maketecheasier.com/author/himanshu/
[1]:http://linux.die.net/man/1/pv
[2]:http://linux.die.net/man/1/dialog

30
translated/tech/20151201 Linux and Unix Port Scanning With netcat [nc] Command.md → published/20151201 Linux and Unix Port Scanning With netcat [nc] Command.md
View File

@ -1,25 +1,21 @@
使用 netcat [nc] 命令对 Linux 和 Unix 进行端口扫描
================================================================================
我如何在自己的服务器上找出哪些端口是开放的?如何使用 nc 命令进行端口扫描来替换 [Linux 或 类 Unix 中的 nmap 命令][1]
我如何在自己的服务器上找出哪些端口是开放的?如何使用 nc 命令进行端口扫描来替换 [Linux 或类 Unix 中的 nmap 命令][1]
nmap (“Network Mapper”)是一个开源工具用于网络探测和安全审核。如果 nmap 没有安装或者你不希望使用 nmap那你可以用 netcat/nc 命令进行端口扫描。它对于查看目标计算机上哪些端口是开放的或者运行着服务是非常有用的。你也可以使用 [nmap 命令进行端口扫描][2] 。
nmap (“Network Mapper”)是一个用于网络探测和安全审核的开源工具。如果 nmap 没有安装或者你不希望使用 nmap那你可以用 netcat/nc 命令进行端口扫描。它对于查看目标计算机上哪些端口是开放的或者运行着服务是非常有用的。你也可以使用 [nmap 命令进行端口扫描][2] 。
### 如何使用 nc 来扫描 LinuxUNIX 和 Windows 服务器的端口呢? ###
If nmap is not installed try nc / netcat command as follow. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. Run nc command with -z flag. You need to specify host name / ip along with the port range to limit and speedup operation:
如果未安装 nmap试试 nc/netcat 命令,如下所示。-z 参数用来告诉 nc 报告开放的端口,而不是启动连接。在 nc 命令中使用 -z 参数时,你需要在主机名/ip 后面限定端口的范围和加速其运行:
如果未安装 nmap如下所示试试 nc/netcat 命令。-z 参数用来告诉 nc 报告开放的端口,而不是启动连接。在 nc 命令中使用 -z 参数时,你需要在主机名/ip 后面指定端口的范围来限制和加速其运行:
## 语法 ##
nc -z -v {host-name-here} {port-range-here}
### 语法 ###
### nc -z -v {host-name-here} {port-range-here}
nc -z -v host-name-here ssh
nc -z -v host-name-here 22
nc -w 1 -z -v server-name-here port-Number-her
## 扫描 1 to 1023 端口 ##
### 扫描 1 to 1023 端口 ###
nc -zv vip-1.vsnl.nixcraft.in 1-1023
输出示例:
@ -42,16 +38,16 @@ If nmap is not installed try nc / netcat command as follow. The -z flag can be u
nc -zv v.txvip1 smtp
nc -zvn v.txvip1 ftp
## really fast scanner with 1 timeout value ##
### 使用1秒的超时值来更快的扫描 ###
netcat -v -z -n -w 1 v.txvip1 1-1023
输出示例:
![Fig.01: Linux/Unix: Use Netcat to Establish and Test TCP and UDP Connections on a Server](http://s0.cyberciti.org/uploads/faq/2007/07/scan-with-nc.jpg)
图01Linux/Unix使用 Netcat 来测试 TCP 和 UDP 与服务器建立连接
*图01Linux/Unix使用 Netcat 来测试 TCP 和 UDP 与服务器建立连接*
1. -z : 端口扫描模式即 I/O 模式。
1. -z : 端口扫描模式即 I/O 模式。
1. -v : 显示详细信息 [使用 -vv 来输出更详细的信息]。
1. -n : 使用纯数字 IP 地址,即不用 DNS 来解析 IP 地址。
1. -w 1 : 设置超时值设置为1。
@ -88,12 +84,12 @@ via: http://www.cyberciti.biz/faq/linux-port-scanning/
作者Vivek Gite
译者:[strugglingyouth](https://github.com/strugglingyouth)
校对:[校对者ID](https://github.com/校对者ID)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/
[2]:http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html
[3]:http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/
[1]:https://linux.cn/article-2561-1.html
[2]:https://linux.cn/article-2561-1.html
[3]:https://linux.cn/article-2561-1.html
[4]:http://www.manpager.com/linux/man1/nc.1.html
[5]:http://www.manpager.com/linux/man1/nmap.1.html

46
translated/tech/20151202 How to use the Linux ftp command to up- and download files on the shell.md → published/20151202 How to use the Linux ftp command to up- and download files on the shell.md
View File

@ -1,11 +1,10 @@
如何在命令行中使用ftp命令上传和下载文件
如何在命令行中使用 ftp 命令上传和下载文件
================================================================================
本文中介绍在Linux shell中如何使用ftp命令。包括如何连接FTP服务器上传或下载文件以及创建文件夹。尽管现在有许多不错的FTP桌面应用但是在服务器、ssh、远程回话中命令行ftp命令还是有很多应用的。比如。需要服务器从ftp仓库拉取备份。
本文中,介绍在 Linux shell 中如何使用 ftp 命令。包括如何连接 FTP 服务器,上传或下载文件以及创建文件夹。尽管现在有许多不错的 FTP 桌面应用但是在服务器、SSH、远程会话中命令行 ftp 命令还是有很多应用的。比如。需要服务器从 ftp 仓库拉取备份。
### 步骤 1: 建立FTP连接 ###
### 步骤 1: 建立 FTP 连接 ###
想要连接FTP服务器在命令上中先输入'**ftp**'然后空格跟上FTP服务器的域名'domain.com'或者IP地址
想要连接 FTP 服务器,在命令上中先输入`ftp`然后空格跟上 FTP 服务器的域名 'domain.com' 或者 IP 地址
#### 例如: ####
@ -15,17 +14,17 @@
ftp user@ftpdomain.com
**注意: 本次例子使用匿名服务器.**
**注意: 本例中使用匿名服务器。**
替换下面例子中IP或域名为你的服务器地址。
替换下面例子中 IP 或域名为你的服务器地址。
![FTP登录](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/ftpanonymous.png)
![FTP 登录](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/ftpanonymous.png)
### 步骤 2: 使用用户名密码登录 ###
绝大多数的FTP服务器是使用密码保护的因此这些FTP服务器会询问'**用户名**'和'**密码**'.
绝大多数的 FTP 服务器是使用密码保护的,因此这些 FTP 服务器会询问'**username**'和'**password**'.
如果你连接到被动匿名FTP服务器可以尝试"anonymous"作为用户名以及空密码:
如果你连接到被称作匿名 FTP 服务器LCTT 译注:即,并不需要你有真实的用户信息即可使用的 FTP 服务器称之为匿名 FTP 服务器),可以尝试`anonymous`作为用户名以及使用空密码:
Name: anonymous
@ -40,15 +39,14 @@
登录成功。
![FTP登录成功](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/login.png)
![FTP 登录成功](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/login.png)
### 步骤 3: 目录操作 ###
FTP命令可以列出、移动和创建文件夹如同我们在本地使用我们的电脑一样。ls可以打印目录列表cd可以改变目录mkdir可以创建文件夹。
FTP 命令可以列出、移动和创建文件夹,如同我们在本地使用我们的电脑一样。`ls`可以打印目录列表,`cd`可以改变目录,`mkdir`可以创建文件夹。
#### 使用安全设置列出目录 ####
ftp> ls
服务器将返回:
@ -74,15 +72,15 @@ FTP命令可以列出、移动和创建文件夹如同我们在本地使用
![FTP中改变目录](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/directory.png)
### 步骤 4: 使用FTP下载文件 ###
### 步骤 4: 使用 FTP 下载文件 ###
在下载一个文件之前我们首先需要使用lcd命令设定本地接受目录位置。
在下载一个文件之前,我们首先需要使用`lcd`命令设定本地接受目录位置。
lcd /home/user/yourdirectoryname
如果你不指定下载目录文件将会下载到你登录FTP时候的工作目录。
如果你不指定下载目录,文件将会下载到你登录 FTP 时候的工作目录。
现在我们可以使用命令get来下载文件比如
现在,我们可以使用命令 get 来下载文件,比如:
get file
@ -98,15 +96,15 @@ FTP命令可以列出、移动和创建文件夹如同我们在本地使用
![使用FTP下载文件](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/gettingfile.png)
下载多个文件可以使用通配符。例如,下面这个例子我打算下载所有以.xls结尾的文件。
下载多个文件可以使用通配符`mget` 命令。例如,下面这个例子我打算下载所有以 .xls 结尾的文件。
mget *.xls
### 步骤 5: 使用FTP上传文件 ###
### 步骤 5: 使用 FTP 上传文件 ###
完成FTP连接后FTP同样可以上传文件
完成 FTP 连接后FTP 同样可以上传文件
使用put命令上传文件
使用 `put`命令上传文件:
put file
@ -118,7 +116,7 @@ FTP命令可以列出、移动和创建文件夹如同我们在本地使用
mput *.xls
### 步骤 6: 关闭FTP连接 ###
### 步骤 6: 关闭 FTP 连接 ###
完成FTP工作后为了安全起见需要关闭连接。有三个命令可以关闭连接
@ -134,7 +132,7 @@ FTP命令可以列出、移动和创建文件夹如同我们在本地使用
![](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/goodbye.png)
需要更多帮助,在使用ftp命令连接到服务器后可以使用“help”获得更多帮助。
需要更多帮助,在使用 ftp 命令连接到服务器后,可以使用`help`获得更多帮助。
![](https://www.howtoforge.com/images/how-to-use-ftp-in-the-linux-shell/big/helpwindow.png)
@ -143,6 +141,6 @@ FTP命令可以列出、移动和创建文件夹如同我们在本地使用
via: https://www.howtoforge.com/tutorial/how-to-use-ftp-on-the-linux-shell/
译者:[VicYu](http://vicyu.net)
校对:[校对者ID](https://github.com/校对者ID)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

1
sources/share/20151204 Review EXT4 vs. Btrfs vs. XFS.md
View File

@ -1,3 +1,4 @@
bazz2222222222222222222222222222222222222222222
Review EXT4 vs. Btrfs vs. XFS
================================================================================
![](http://1426826955.rsc.cdn77.org/wp-content/uploads/2015/09/1385698302_funny_linux_wallpapers-593x445.jpg)

1
sources/tech/20151109 How to send email notifications using Gmail SMTP server on Linux.md
View File

@ -1,3 +1,4 @@
Translating by KnightJoker
How to send email notifications using Gmail SMTP server on Linux
================================================================================
Suppose you want to configure a Linux app to send out email messages from your server or desktop. The email messages can be part of email newsletters, status updates (e.g., [Cachet][1]), monitoring alerts (e.g., [Monit][2]), disk events (e.g., [RAID mdadm][3]), and so on. While you can set up your [own outgoing mail server][4] to deliver messages, you can alternatively rely on a freely available public SMTP server as a maintenance-free option.

196
sources/tech/20151204 Linux or Unix--jobs Command Examples.md
View File

@ -1,196 +0,0 @@
translation by strugglingyouth
Linux / Unix: jobs Command Examples
================================================================================
I am new Linux and Unix user. How do I show the active jobs on Linux or Unix-like systems using BASH/KSH/TCSH or POSIX based shell? How can I display status of jobs in the current session on Unix/Linux?
Job control is nothing but the ability to stop/suspend the execution of processes (command) and continue/resume their execution as per your requirements. This is done using your operating system and shell such as bash/ksh or POSIX shell.
You shell keeps a table of currently executing jobs and can be displayed with jobs command.
### Purpose ###
> Displays status of jobs in the current shell session.
### Syntax ###
The basic syntax is as follows:
jobs
OR
jobs jobID
OR
jobs [options] jobID
### Starting few jobs for demonstration purpose ###
Before you start using jobs command, you need to start couple of jobs on your system. Type the following commands to start jobs:
## Start xeyes, calculator, and gedit text editor ###
xeyes &
gnome-calculator &
gedit fetch-stock-prices.py &
Finally, run ping command in foreground:
ping www.cyberciti.biz
To suspend ping command job hit the **Ctrl-Z** key sequence.
### jobs command examples ###
To display the status of jobs in the current shell, enter:
$ jobs
Sample outputs:
[1] 7895 Running gpass &
[2] 7906 Running gnome-calculator &
[3]- 7910 Running gedit fetch-stock-prices.py &
[4]+ 7946 Stopped ping cyberciti.biz
To display the process ID or jobs for the job whose name begins with "p," enter:
$ jobs -p %p
OR
$ jobs %p
Sample outputs:
[4]- Stopped ping cyberciti.biz
The character % introduces a job specification. In this example, you are using the string whose name begins with suspended command such as %ping.
### How do I show process IDs in addition to the normal information? ###
Pass the -l(lowercase L) option to jobs command for more information about each job listed, run:
$ jobs -l
Sample outputs:
![Fig.01: Displaying the status of jobs in the shell](http://s0.cyberciti.org/uploads/faq/2013/02/jobs-command-output.jpg)
Fig.01: Displaying the status of jobs in the shell
### How do I list only processes that have changed status since the last notification? ###
First, start a new job as follows:
$ sleep 100 &
Now, only show jobs that have stopped or exited since last notified, type:
$ jobs -n
Sample outputs:
[5]- Running sleep 100 &
### Display lists process IDs (PIDs) only ###
Pass the -p option to jobs command to display PIDs only:
$ jobs -p
Sample outputs:
7895
7906
7910
7946
7949
### How do I display only running jobs? ###
Pass the -r option to jobs command to display only running jobs only, type:
$ jobs -r
Sample outputs:
[1] Running gpass &
[2] Running gnome-calculator &
[3]- Running gedit fetch-stock-prices.py &
### How do I display only jobs that have stopped? ###
Pass the -s option to jobs command to display only stopped jobs only, type:
$ jobs -s
Sample outputs:
[4]+ Stopped ping cyberciti.biz
To resume the ping cyberciti.biz job by entering the following bg command:
$ bg %4
### jobs command options ###
From the [bash(1)][1] command man page:
注:表格
<table border="1">
<tbody>
<tr>
<td>Option</td>
<td>Description</td>
</tr>
<tr>
<td><kbd><strong>-l</strong></kbd></td>
<td>Show process id's in addition to the normal information.</td>
</tr>
<tr>
<td><kbd><strong>-p</strong></kbd></td>
<td>Show process id's only.</td>
</tr>
<tr>
<td><kbd><strong>-n</strong></kbd></td>
<td>Show only processes that have changed status since the last notification are printed.</td>
</tr>
<tr>
<td><kbd><strong>-r</strong></kbd></td>
<td>Restrict output to running jobs only.</td>
</tr>
<tr>
<td><kbd><strong>-s</strong></kbd></td>
<td>Restrict output to stopped jobs only.</td>
</tr>
<tr>
<td><kbd><strong>-x</strong></kbd></td>
<td>COMMAND is run after all job specifications that appear in ARGS have been replaced with the process ID of that job's process group leader./td&gt;</td>
</tr>
</tbody>
</table>
### A note about /usr/bin/jobs and shell builtin ###
Type the following type command to find out whether jobs is part of shell, external command or both:
$ type -a jobs
Sample outputs:
jobs is a shell builtin
jobs is /usr/bin/jobs
In almost all cases you need to use the jobs command that is implemented as a BASH/KSH/POSIX shell built-in. The /usr/bin/jobs command can not be used in the current shell. The /usr/bin/jobs command operates in a different environment and does not share the parent bash/ksh's shells understanding of jobs.
--------------------------------------------------------------------------------
via:
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://www.manpager.com/linux/man1/bash.1.html

3
sources/tech/20151208 How to Install Bugzilla with Apache and SSL on FreeBSD 10.2.md
View File

@ -1,3 +1,4 @@
Translating by ZTinoZ
How to Install Bugzilla with Apache and SSL on FreeBSD 10.2
================================================================================
Bugzilla is open source web base application for bug tracker and testing tool, develop by mozilla project, and licensed under Mozilla Public License. It is used by high tech company like mozilla, redhat and gnome. Bugzilla was originally created by Terry Weissman in 1998. It written in perl, use MySQL as the database back-end. It is a server software designed to help you manage software development. Bugzilla has a lot of features, optimized database, excellent security, advanced search tool, integrated with email capabilities etc.
@ -264,4 +265,4 @@ via: http://linoxide.com/tools/install-bugzilla-apache-ssl-freebsd-10-2/
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://linoxide.com/author/arulm/
[a]:http://linoxide.com/author/arulm/

450
sources/tech/20151210 Getting started with Docker by Dockerizing this Blog.md
View File

@ -1,450 +0,0 @@
Getting started with Docker by Dockerizing this Blog
======================
>This article covers the basic concepts of Docker and how to Dockerize an application by creating a custom Dockerfile
>Written by Benjamin Cane on 2015-12-01 10:00:00
Docker is an interesting technology that over the past 2 years has gone from an idea, to being used by organizations all over the world to deploy applications. In today's article I am going to cover how to get started with Docker by "Dockerizing" an existing application. The application in question is actually this very blog!
## What is Docker
Before we dive into learning the basics of Docker let's first understand what Docker is and why it is so popular. Docker, is an operating system container management tool that allows you to easily manage and deploy applications by making it easy to package them within operating system containers.
### Containers vs. Virtual Machines
Containers may not be as familiar as virtual machines but they are another method to provide **Operating System Virtualization**. However, they differ quite a bit from standard virtual machines.
Standard virtual machines generally include a full Operating System, OS Packages and eventually an Application or two. This is made possible by a Hypervisor which provides hardware virtualization to the virtual machine. This allows for a single server to run many standalone operating systems as virtual guests.
Containers are similar to virtual machines in that they allow a single server to run multiple operating environments, these environments however, are not full operating systems. Containers generally only include the necessary OS Packages and Applications. They do not generally contain a full operating system or hardware virtualization. This also means that containers have a smaller overhead than traditional virtual machines.
Containers and Virtual Machines are often seen as conflicting technology, however, this is often a misunderstanding. Virtual Machines are a way to take a physical server and provide a fully functional operating environment that shares those physical resources with other virtual machines. A Container is generally used to isolate a running process within a single host to ensure that the isolated processes cannot interact with other processes within that same system. In fact containers are closer to **BSD Jails** and `chroot`'ed processes than full virtual machines.
### What Docker provides on top of containers
Docker itself is not a container runtime environment; in fact Docker is actually container technology agnostic with efforts planned for Docker to support [Solaris Zones](https://blog.docker.com/2015/08/docker-oracle-solaris-zones/) and [BSD Jails](https://wiki.freebsd.org/Docker). What Docker provides is a method of managing, packaging, and deploying containers. While these types of functions may exist to some degree for virtual machines they traditionally have not existed for most container solutions and the ones that existed, were not as easy to use or fully featured as Docker.
Now that we know what Docker is, let's start learning how Docker works by first installing Docker and deploying a public pre-built container.
## Starting with Installation
As Docker is not installed by default step 1 will be to install the Docker package; since our example system is running Ubuntu 14.0.4 we will do this using the Apt package manager.
```
# apt-get install docker.io
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
aufs-tools cgroup-lite git git-man liberror-perl
Suggested packages:
btrfs-tools debootstrap lxc rinse git-daemon-run git-daemon-sysvinit git-doc
git-el git-email git-gui gitk gitweb git-arch git-bzr git-cvs git-mediawiki
git-svn
The following NEW packages will be installed:
aufs-tools cgroup-lite docker.io git git-man liberror-perl
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,553 kB of archives.
After this operation, 46.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
```
To check if any containers are running we can execute the `docker` command using the `ps` option.
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
```
The `ps` function of the `docker` command works similar to the Linux `ps `command. It will show available Docker containers and their current status. Since we have not started any Docker containers yet, the command shows no running containers.
## Deploying a pre-built nginx Docker container
One of my favorite features of Docker is the ability to deploy a pre-built container in the same way you would deploy a package with `yum` or `apt-get`. To explain this better let's deploy a pre-built container running the nginx web server. We can do this by executing the `docker` command again, however, this time with the `run` option.
```
# docker run -d nginx
Unable to find image 'nginx' locally
Pulling repository nginx
5c82215b03d1: Download complete
e2a4fb18da48: Download complete
58016a5acc80: Download complete
657abfa43d82: Download complete
dcb2fe003d16: Download complete
c79a417d7c6f: Download complete
abb90243122c: Download complete
d6137c9e2964: Download complete
85e566ddc7ef: Download complete
69f100eb42b5: Download complete
cd720b803060: Download complete
7cc81e9a118a: Download complete
```
The `run` function of the `docker` command tells Docker to find a specified Docker image and start a container running that image. By default, Docker containers run in the foreground, meaning when you execute `docker run` your shell will be bound to the container's console and the process running within the container. In order to launch this Docker container in the background I included the `-d` (**detach**) flag.
By executing `docker ps` again we can see the nginx container running.
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f6d31ab01fc9 nginx:latest nginx -g 'daemon off 4 seconds ago Up 3 seconds 443/tcp, 80/tcp desperate_lalande
```
In the above output we can see the running container `desperate_lalande` and that this container has been built from the `nginx:latest image`.
### Docker Images
Images are one of Docker's key features and is similar to a virtual machine image. Like virtual machine images, a Docker image is a container that has been saved and packaged. Docker however, doesn't just stop with the ability to create images. Docker also includes the ability to distribute those images via Docker repositories which are a similar concept to package repositories. This is what gives Docker the ability to deploy an image like you would deploy a package with `yum`. To get a better understanding of how this works let's look back at the output of the `docker run` execution.
```
# docker run -d nginx
Unable to find image 'nginx' locally
```
The first message we see is that `docker` could not find an image named nginx locally. The reason we see this message is that when we executed `docker run` we told Docker to startup a container, a container based on an image named **nginx**. Since Docker is starting a container based on a specified image it needs to first find that image. Before checking any remote repository Docker first checks locally to see if there is a local image with the specified name.
Since this system is brand new there is no Docker image with the name nginx, which means Docker will need to download it from a Docker repository.
```
Pulling repository nginx
5c82215b03d1: Download complete
e2a4fb18da48: Download complete
58016a5acc80: Download complete
657abfa43d82: Download complete
dcb2fe003d16: Download complete
c79a417d7c6f: Download complete
abb90243122c: Download complete
d6137c9e2964: Download complete
85e566ddc7ef: Download complete
69f100eb42b5: Download complete
cd720b803060: Download complete
7cc81e9a118a: Download complete
```
This is exactly what the second part of the output is showing us. By default, Docker uses the [Docker Hub](https://hub.docker.com/) repository, which is a repository service that Docker (the company) runs.
Like GitHub, Docker Hub is free for public repositories but requires a subscription for private repositories. It is possible however, to deploy your own Docker repository, in fact it is as easy as `docker run registry`. For this article we will not be deploying a custom registry service.
### Stopping and Removing the Container
Before moving on to building a custom Docker container let's first clean up our Docker environment. We will do this by stopping the container from earlier and removing it.
To start a container we executed `docker` with the `run` option, in order to stop this same container we simply need to execute the `docker` with the `kill` option specifying the container name.
```
# docker kill desperate_lalande
desperate_lalande
```
If we execute `docker ps` again we will see that the container is no longer running.
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
```
However, at this point we have only stopped the container; while it may no longer be running it still exists. By default, `docker ps` will only show running containers, if we add the `-a` (all) flag it will show all containers running or not.
```
# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f6d31ab01fc9 5c82215b03d1 nginx -g 'daemon off 4 weeks ago Exited (-1) About a minute ago desperate_lalande
```
In order to fully remove the container we can use the `docker` command with the `rm` option.
```
# docker rm desperate_lalande
desperate_lalande
```
While this container has been removed; we still have a **nginx** image available. If we were to re-run `docker run -d nginx` again the container would be started without having to fetch the nginx image again. This is because Docker already has a saved copy on our local system.
To see a full list of local images we can simply run the `docker` command with the `images` option.
```
# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
nginx latest 9fab4090484a 5 days ago 132.8 MB
```
## Building our own custom image
At this point we have used a few basic Docker commands to start, stop and remove a common pre-built image. In order to "Dockerize" this blog however, we are going to have to build our own Docker image and that means creating a **Dockerfile**.
With most virtual machine environments if you wish to create an image of a machine you need to first create a new virtual machine, install the OS, install the application and then finally convert it to a template or image. With Docker however, these steps are automated via a Dockerfile. A Dockerfile is a way of providing build instructions to Docker for the creation of a custom image. In this section we are going to build a custom Dockerfile that can be used to deploy this blog.
### Understanding the Application
Before we can jump into creating a Dockerfile we first need to understand what is required to deploy this blog.
The blog itself is actually static HTML pages generated by a custom static site generator that I wrote named; **hamerkop**. The generator is very simple and more about getting the job done for this blog specifically. All the code and source files for this blog are available via a public [GitHub](https://github.com/madflojo/blog) repository. In order to deploy this blog we simply need to grab the contents of the GitHub repository, install **Python** along with some **Python** modules and execute the `hamerkop` application. To serve the generated content we will use **nginx**; which means we will also need **nginx** to be installed.
So far this should be a pretty simple Dockerfile, but it will show us quite a bit of the [Dockerfile Syntax](https://docs.docker.com/v1.8/reference/builder/). To get started we can clone the GitHub repository and creating a Dockerfile with our favorite editor; `vi` in my case.
```
# git clone https://github.com/madflojo/blog.git
Cloning into 'blog'...
remote: Counting objects: 622, done.
remote: Total 622 (delta 0), reused 0 (delta 0), pack-reused 622
Receiving objects: 100% (622/622), 14.80 MiB | 1.06 MiB/s, done.
Resolving deltas: 100% (242/242), done.
Checking connectivity... done.
# cd blog/
# vi Dockerfile
```
### FROM - Inheriting a Docker image
The first instruction of a Dockerfile is the `FROM` instruction. This is used to specify an existing Docker image to use as our base image. This basically provides us with a way to inherit another Docker image. In this case we will be starting with the same **nginx** image we were using before, if we wanted to start with a blank slate we could use the **Ubuntu** Docker image by specifying `ubuntu:latest`.
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
```
In addition to the `FROM` instruction, I also included a `MAINTAINER` instruction which is used to show the Author of the Dockerfile.
As Docker supports using `#` as a comment marker, I will be using this syntax quite a bit to explain the sections of this Dockerfile.
### Running a test build
Since we inherited the **nginx** Docker image our current Dockerfile also inherited all the instructions within the [Dockerfile](https://github.com/nginxinc/docker-nginx/blob/08eeb0e3f0a5ee40cbc2bc01f0004c2aa5b78c15/Dockerfile) used to build that **nginx** image. What this means is even at this point we are able to build a Docker image from this Dockerfile and run a container from that image. The resulting image will essentially be the same as the **nginx** image but we will run through a build of this Dockerfile now and a few more times as we go to help explain the Docker build process.
In order to start the build from a Dockerfile we can simply execute the `docker` command with the **build** option.
```
# docker build -t blog /root/blog
Sending build context to Docker daemon 23.6 MB
Sending build context to Docker daemon
Step 0 : FROM nginx:latest
---> 9fab4090484a
Step 1 : MAINTAINER Benjamin Cane <ben@bencane.com>
---> Running in c97f36450343
---> 60a44f78d194
Removing intermediate container c97f36450343
Successfully built 60a44f78d194
```
In the above example I used the `-t` (**tag**) flag to "tag" the image as "blog". This essentially allows us to name the image, without specifying a tag the image would only be callable via an **Image ID** that Docker assigns. In this case the **Image ID** is `60a44f78d194` which we can see from the `docker` command's build success message.
In addition to the `-t` flag, I also specified the directory `/root/blog`. This directory is the "build directory", which is the directory that contains the Dockerfile and any other files necessary to build this container.
Now that we have run through a successful build, let's start customizing this image.
### Using RUN to execute apt-get
The static site generator used to generate the HTML pages is written in **Python** and because of this the first custom task we should perform within this `Dockerfile` is to install Python. To install the Python package we will use the Apt package manager. This means we will need to specify within the Dockerfile that `apt-get update` and `apt-get install python-dev` are executed; we can do this with the `RUN` instruction.
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
## Install python and pip
RUN apt-get update
RUN apt-get install -y python-dev python-pip
```
In the above we are simply using the `RUN` instruction to tell Docker that when it builds this image it will need to execute the specified `apt-get` commands. The interesting part of this is that these commands are only executed within the context of this container. What this means is even though `python-dev` and `python-pip` are being installed within the container, they are not being installed for the host itself. Or to put it simplier, within the container the `pip` command will execute, outside the container, the `pip` command does not exist.
It is also important to note that the Docker build process does not accept user input during the build. This means that any commands being executed by the `RUN` instruction must complete without user input. This adds a bit of complexity to the build process as many applications require user input during installation. For our example, none of the commands executed by `RUN` require user input.
### Installing Python modules
With **Python** installed we now need to install some Python modules. To do this outside of Docker, we would generally use the `pip` command and reference a file within the blog's Git repository named `requirements.txt`. In an earlier step we used the `git` command to "clone" the blog's GitHub repository to the `/root/blog` directory; this directory also happens to be the directory that we have created the `Dockerfile`. This is important as it means the contents of the Git repository are accessible to Docker during the build process.
When executing a build, Docker will set the context of the build to the specified "build directory". This means that any files within that directory and below can be used during the build process, files outside of that directory (outside of the build context), are inaccessible.
In order to install the required Python modules we will need to copy the `requirements.txt` file from the build directory into the container. We can do this using the `COPY` instruction within the `Dockerfile`.
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
## Install python and pip
RUN apt-get update
RUN apt-get install -y python-dev python-pip
## Create a directory for required files
RUN mkdir -p /build/
## Add requirements file and run pip
COPY requirements.txt /build/
RUN pip install -r /build/requirements.txt
```
Within the `Dockerfile` we added 3 instructions. The first instruction uses `RUN` to create a `/build/` directory within the container. This directory will be used to copy any application files needed to generate the static HTML pages. The second instruction is the `COPY` instruction which copies the `requirements.txt` file from the "build directory" (`/root/blog`) into the `/build` directory within the container. The third is using the `RUN` instruction to execute the `pip` command; installing all the modules specified within the `requirements.txt` file.
`COPY` is an important instruction to understand when building custom images. Without specifically copying the file within the Dockerfile this Docker image would not contain the requirements.txt file. With Docker containers everything is isolated, unless specifically executed within a Dockerfile a container is not likely to include required dependencies.
### Re-running a build
Now that we have a few customization tasks for Docker to perform let's try another build of the blog image again.
```
# docker build -t blog /root/blog
Sending build context to Docker daemon 19.52 MB
Sending build context to Docker daemon
Step 0 : FROM nginx:latest
---> 9fab4090484a
Step 1 : MAINTAINER Benjamin Cane <ben@bencane.com>
---> Using cache
---> 8e0f1899d1eb
Step 2 : RUN apt-get update
---> Using cache
---> 78b36ef1a1a2
Step 3 : RUN apt-get install -y python-dev python-pip
---> Using cache
---> ef4f9382658a
Step 4 : RUN mkdir -p /build/
---> Running in bde05cf1e8fe
---> f4b66e09fa61
Removing intermediate container bde05cf1e8fe
Step 5 : COPY requirements.txt /build/
---> cef11c3fb97c
Removing intermediate container 9aa8ff43f4b0
Step 6 : RUN pip install -r /build/requirements.txt
---> Running in c50b15ddd8b1
Downloading/unpacking jinja2 (from -r /build/requirements.txt (line 1))
Downloading/unpacking PyYaml (from -r /build/requirements.txt (line 2))
<truncated to reduce noise>
Successfully installed jinja2 PyYaml mistune markdown MarkupSafe
Cleaning up...
---> abab55c20962
Removing intermediate container c50b15ddd8b1
Successfully built abab55c20962
```
From the above build output we can see the build was successful, but we can also see another interesting message;` ---> Using cache`. What this message is telling us is that Docker was able to use its build cache during the build of this image.
#### Docker build cache
When Docker is building an image, it doesn't just build a single image; it actually builds multiple images throughout the build processes. In fact we can see from the above output that after each "Step" Docker is creating a new image.
```
Step 5 : COPY requirements.txt /build/
---> cef11c3fb97c
```
The last line from the above snippet is actually Docker informing us of the creating of a new image, it does this by printing the **Image ID**; `cef11c3fb97c`. The useful thing about this approach is that Docker is able to use these images as cache during subsequent builds of the **blog** image. This is useful because it allows Docker to speed up the build process for new builds of the same container. If we look at the example above we can actually see that rather than installing the `python-dev` and `python-pip` packages again, Docker was able to use a cached image. However, since Docker was unable to find a build that executed the `mkdir` command, each subsequent step was executed.
The Docker build cache is a bit of a gift and a curse; the reason for this is that the decision to use cache or to rerun the instruction is made within a very narrow scope. For example, if there was a change to the `requirements.txt` file Docker would detect this change during the build and start fresh from that point forward. It does this because it can view the contents of the `requirements.txt` file. The execution of the `apt-get` commands however, are another story. If the **Apt** repository that provides the Python packages were to contain a newer version of the python-pip package; Docker would not be able to detect the change and would simply use the build cache. This means that an older package may be installed. While this may not be a major issue for the `python-pip` package it could be a problem if the installation was caching a package with a known vulnerability.
For this reason it is useful to periodically rebuild the image without using Docker's cache. To do this you can simply specify `--no-cache=True` when executing a Docker build.
## Deploying the rest of the blog
With the Python packages and modules installed this leaves us at the point of copying the required application files and running the `hamerkop` application. To do this we will simply use more `COPY` and `RUN` instructions.
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
## Install python and pip
RUN apt-get update
RUN apt-get install -y python-dev python-pip
## Create a directory for required files
RUN mkdir -p /build/
## Add requirements file and run pip
COPY requirements.txt /build/
RUN pip install -r /build/requirements.txt
## Add blog code nd required files
COPY static /build/static
COPY templates /build/templates
COPY hamerkop /build/
COPY config.yml /build/
COPY articles /build/articles
## Run Generator
RUN /build/hamerkop -c /build/config.yml
```
Now that we have the rest of the build instructions, let's run through another build and verify that the image builds successfully.
```
# docker build -t blog /root/blog/
Sending build context to Docker daemon 19.52 MB
Sending build context to Docker daemon
Step 0 : FROM nginx:latest
---> 9fab4090484a
Step 1 : MAINTAINER Benjamin Cane <ben@bencane.com>
---> Using cache
---> 8e0f1899d1eb
Step 2 : RUN apt-get update
---> Using cache
---> 78b36ef1a1a2
Step 3 : RUN apt-get install -y python-dev python-pip
---> Using cache
---> ef4f9382658a
Step 4 : RUN mkdir -p /build/
---> Using cache
---> f4b66e09fa61
Step 5 : COPY requirements.txt /build/
---> Using cache
---> cef11c3fb97c
Step 6 : RUN pip install -r /build/requirements.txt
---> Using cache
---> abab55c20962
Step 7 : COPY static /build/static
---> 15cb91531038
Removing intermediate container d478b42b7906
Step 8 : COPY templates /build/templates
---> ecded5d1a52e
Removing intermediate container ac2390607e9f
Step 9 : COPY hamerkop /build/
---> 59efd1ca1771
Removing intermediate container b5fbf7e817b7
Step 10 : COPY config.yml /build/
---> bfa3db6c05b7
Removing intermediate container 1aebef300933
Step 11 : COPY articles /build/articles
---> 6b61cc9dde27
Removing intermediate container be78d0eb1213
Step 12 : RUN /build/hamerkop -c /build/config.yml
---> Running in fbc0b5e574c5
Successfully created file /usr/share/nginx/html//2011/06/25/checking-the-number-of-lwp-threads-in-linux
Successfully created file /usr/share/nginx/html//2011/06/checking-the-number-of-lwp-threads-in-linux
<truncated to reduce noise>
Successfully created file /usr/share/nginx/html//archive.html
Successfully created file /usr/share/nginx/html//sitemap.xml
---> 3b25263113e1
Removing intermediate container fbc0b5e574c5
Successfully built 3b25263113e1
```
### Running a custom container
With a successful build we can now start our custom container by running the `docker` command with the `run` option, similar to how we started the nginx container earlier.
```
# docker run -d -p 80:80 --name=blog blog
5f6c7a2217dcdc0da8af05225c4d1294e3e6bb28a41ea898a1c63fb821989ba1
```
Once again the `-d` (**detach**) flag was used to tell Docker to run the container in the background. However, there are also two new flags. The first new flag is `--name`, which is used to give the container a user specified name. In the earlier example we did not specify a name and because of that Docker randomly generated one. The second new flag is `-p`, this flag allows users to map a port from the host machine to a port within the container.
The base **nginx** image we used exposes port 80 for the HTTP service. By default, ports bound within a Docker container are not bound on the host system as a whole. In order for external systems to access ports exposed within a container the ports must be mapped from a host port to a container port using the `-p` flag. The command above maps port 80 from the host, to port 80 within the container. If we wished to map port 8080 from the host, to port 80 within the container we could do so by specifying the ports in the following syntax `-p 8080:80`.
From the above command it appears that our container was started successfully, we can verify this by executing `docker ps`.
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d264c7ef92bd blog:latest nginx -g 'daemon off 3 seconds ago Up 3 seconds 443/tcp, 0.0.0.0:80->80/tcp blog
```
## Wrapping up
At this point we now have a running custom Docker container. While we touched on a few Dockerfile instructions within this article we have yet to discuss all the instructions. For a full list of Dockerfile instructions you can checkout [Docker's reference page](https://docs.docker.com/v1.8/reference/builder/), which explains the instructions very well.
Another good resource is their [Dockerfile Best Practices page](https://docs.docker.com/engine/articles/dockerfile_best-practices/) which contains quite a few best practices for building custom Dockerfiles. Some of these tips are very useful such as strategically ordering the commands within the Dockerfile. In the above examples our Dockerfile has the `COPY` instruction for the `articles` directory as the last `COPY` instruction. The reason for this is that the `articles` directory will change quite often. It's best to put instructions that will change oftenat the lowest point possible within the Dockerfile to optimize steps that can be cached.
In this article we covered how to start a pre-built container and how to build, then deploy a custom container. While there is quite a bit to learn about Docker this article should give you a good idea on how to get started. Of course, as always if you think there is anything that should be added drop it in the comments below.
--------------------------------------
via:http://bencane.com/2015/12/01/getting-started-with-docker-by-dockerizing-this-blog/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+bencane%2FSAUo+%28Benjamin+Cane%29
作者Benjamin Cane
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出

49
sources/tech/20151215 Fix--Cannot establish FTP connection to an SFTP server.md Normal file
View File

@ -0,0 +1,49 @@
Fix: Cannot establish FTP connection to an SFTP server
================================================================================
### Problem ###
The other day I had to connect to my web server. I use [FileZilla][1] for connecting to FTP servers. When I entered the hostname and password and tried to connect to the FTP server, it gave me the following error:
> Error: Cannot establish FTP connection to an SFTP server. Please select proper protocol.
>
> Error: Critical error: Could not connect to server
![FileZilla Cannot establish FTP connection to an SFTP server](http://itsfoss.com/wp-content/uploads/2015/12/FileZilla_FTP_SFTP_Problem_1.jpeg)
### Reason ###
By reading the error message itself made me realize my mistake. I was trying to establish an [FTP][2] connection with an [SFTP][3] server. Clearly, I was not using the correct protocol (which should have been SFTP and not FTP).
As you can see in the picture above, FileZilla defaults to FTP protocol.
### Solution for “Cannot establish FTP connection to an SFTP server” ###
Solution is simple. Use SFTP protocol instead of FTP. The one problem you might face is to know how to change the protocol to SFTP. This is where I am going to help you.
In FileZilla menu, go to **File->Site Manager**.
![FileZilla Site Manager](http://itsfoss.com/wp-content/uploads/2015/12/FileZilla_FTP_SFTP_Problem_2.jpeg)
In the Site Manager, go in General tab and select SFTP in Protocol. Also fill in the host server, port number, user password etc.
![Cannot establish FTP connection to an SFTP server](http://itsfoss.com/wp-content/uploads/2015/12/FileZilla_FTP_SFTP_Problem_3.png)
I hope you can handle things from here onward.
I hope this quick tutorial helped you to fix “Cannot establish FTP connection to an SFTP server. Please select proper protocol.” problem. In related articles, you can read this post to [know how to set up FTP server in Linux][4].
--------------------------------------------------------------------------------
via: http://itsfoss.com/fix-establish-ftp-connection-sftp-server/
作者:[Abhishek][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://itsfoss.com/author/abhishek/
[1]:https://filezilla-project.org/
[2]:https://en.wikipedia.org/wiki/File_Transfer_Protocol
[3]:https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
[4]:http://itsfoss.com/set-ftp-server-linux/

104
sources/tech/20151215 How to Install Light Table 0.8 in Ubuntu 14.04, 15.10.md Normal file
View File

@ -0,0 +1,104 @@
How to Install Light Table 0.8 in Ubuntu 14.04, 15.10
================================================================================
![](http://ubuntuhandbook.org/wp-content/uploads/2014/11/LightTable-IDE-logo-icon.png)
The Light Table IDE has just reached a new stable release after more than one year of development. Now it provides 64-bit only binary for Linux.
Changes in LightTable 0.8.0:
- CHANGED: We have switched to Electron from NW.js
- CHANGED: LTs releases and self-updating processes are completely in the open on Github
- ADDED: LT can be built from source with provided scripts across supported platforms
- ADDED: Most of LTs node libraries are installed as npm dependencies instead of as forked libraries
- ADDED: Significant documentation. See more below
- FIX: Major usability issues on >= OSX 10.10
- CHANGED: 32-bit linux is no longer an official download. Building from source will still be supported
- FIX: ClojureScript eval for modern versions of ClojureScript
- More details at [github.com/LightTable/LightTable/releases][1]
![LightTable 0.8.0](http://ubuntuhandbook.org/wp-content/uploads/2015/12/lighttable-08.jpg)
### How to Install Light Table 0.8.0 in Ubuntu: ###
Below steps show you how to install the official binary in Ubuntu. Works on all current Ubuntu releases (**64-bit only**).
Before getting started, please make a backup if you have a previous release installed.
**1.** Download the Linux binary from link below:
- [lighttable-0.8.0-linux.tar.gz][2]
**2.** Open terminal from Unity Dash, App Launcher, or via Ctrl+Alt+T keys. When it opens, paste below command and hit enter:
gksudo file-roller ~/Downloads/lighttable-0.8.0-linux.tar.gz
![open-via-fileroller](http://ubuntuhandbook.org/wp-content/uploads/2015/12/open-via-fileroller.jpg)
Install `gksu` from Ubuntu Software Center if the command does not work.
**3.** Previous command opens the downloaded archive via Archive Manager using root user privilege.
When it opens, do:
- right-click and rename the folder name to **LightTable**
- extract it to **Computer -> /opt/** directory.
![extract-lighttable](http://ubuntuhandbook.org/wp-content/uploads/2015/12/extract-lighttable.jpg)
Finally you should have the LightTable installed to /opt/ directory:
![lighttable-in-opt](http://ubuntuhandbook.org/wp-content/uploads/2015/12/lighttable-in-opt.jpg)
**4.** Create a launcher so you can start LightTable from Unity Dash or App Launcher.
Open terminal and run below command to create & edit a launcher file for LightTable:
gksudo gedit /usr/share/applications/lighttable.desktop
When the file opens via Gedit text editor, paste below and save the file:
[Desktop Entry]
Version=1.0
Type=Application
Name=Light Table
GenericName=Text Editor
Comment=Open source IDE that modify, from running programs to embed websites and games
Exec=/opt/LightTable/LightTable %F
Terminal=false
MimeType=text/plain;
Icon=/opt/LightTable/resources/app/core/img/lticon.png
Categories=TextEditor;Development;Utility;
StartupNotify=true
Actions=Window;Document;
Name[en_US]=Light Table
[Desktop Action Window]
Name=New Window
Exec=/opt/LightTable/LightTable -n
OnlyShowIn=Unity;
[Desktop Action Document]
Name=New File
Exec=/opt/LightTable/LightTable --command new_file
OnlyShowIn=Unity;
So it looks like:
![lighttable-launcher](http://ubuntuhandbook.org/wp-content/uploads/2015/12/lighttable-launcher.jpg)
Finally launch the IDE from Unity Dash or Application Launcher and enjoy!
--------------------------------------------------------------------------------
via: http://ubuntuhandbook.org/index.php/2015/12/install-light-table-0-8-ubuntu-14-04/
作者:[Ji m][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://ubuntuhandbook.org/index.php/about/
[1]:https://github.com/LightTable/LightTable/releases
[2]:https://github.com/LightTable/LightTable/releases/download/0.8.0/lighttable-0.8.0-linux.tar.gz

110
sources/tech/20151215 How to block network traffic by country on Linux.md Normal file
View File

@ -0,0 +1,110 @@
How to block network traffic by country on Linux
================================================================================
As a system admin who maintains production Linux servers, there are circumstances where you need to **selectively block or allow network traffic based on geographic locations**. For example, you are experiencing denial-of-service attacks mostly originating from IP addresses registered with a particular country. You want to block SSH logins from unknown foreign countries for security reasons. Your company has a distribution right to online videos, which requires it to legally stream to particular countries only. You need to prevent any local host from uploading documents to any non-US remote cloud storage due to geo-restriction company policies.
All these scenarios require an ability to set up a firewall which does **country-based traffic filtering**. There are a couple of ways to do that. For one, you can use TCP wrappers to set up conditional blocking for individual applications (e.g., SSH, NFS, httpd). The downside is that the application you want to protect must be built with TCP wrappers support. Besides, TCP wrappers are not universally available across different platforms (e.g., Arch Linux [dropped][2] its support). An alternative approach is to set up [ipset][3] with country-based GeoIP information and apply it to iptables rules. The latter approach is more promising as the iptables-based filtering is application-agnostic and easy to set up.
In this tutorial, I am going to present **another iptables-based GeoIP filtering which is implemented with xtables-addons**. For those unfamiliar with it, xtables-addons is a suite of extensions for netfilter/iptables. Included in xtables-addons is a module called xt_geoip which extends the netfilter/iptables to filter, NAT or mangle packets based on source/destination countries. For you to use xt_geoip, you don't need to recompile the kernel or iptables, but only need to build xtables-addons as modules, using the current kernel build environment (/lib/modules/`uname -r`/build). Reboot is not required either. As soon as you build and install xtables-addons, xt_geoip is immediately usable with iptables.
As for the comparison between xt_geoip and ipset, the [official source][3] mentions that xt_geoip is superior to ipset in terms of memory foot print. But in terms of matching speed, hash-based ipset might have an edge.
In the rest of the tutorial, I am going to show **how to use iptables/xt_geoip to block network traffic based on its source/destination countries**.
### Install Xtables-addons on Linux ###
Here is how you can compile and install xtables-addons on various Linux platforms.
To build xtables-addons, you need to install a couple of dependent packages first.
#### Install Dependencies on Debian, Ubuntu or Linux Mint ####
$ sudo apt-get install iptables-dev xtables-addons-common libtext-csv-xs-perl pkg-config
#### Install Dependencies on CentOS, RHEL or Fedora ####
CentOS/RHEL 6 requires EPEL repository being set up first (for perl-Text-CSV_XS).
$ sudo yum install gcc-c++ make automake kernel-devel-`uname -r` wget unzip iptables-devel perl-Text-CSV_XS
#### Compile and Install Xtables-addons ####
Download the latest `xtables-addons` source code from the [official site][4], and build/install it as follows.
$ wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.10.tar.xz
$ tar xf xtables-addons-2.10.tar.xz
$ cd xtables-addons-2.10
$ ./configure
$ make
$ sudo make install
Note that for Red Hat based systems (CentOS, RHEL, Fedora) which have SELinux enabled by default, it is necessary to adjust SELinux policy as follows. Otherwise, SELinux will prevent iptables from loading xt_geoip module.
$ sudo chcon -vR --user=system_u /lib/modules/$(uname -r)/extra/*.ko
$ sudo chcon -vR --type=lib_t /lib64/xtables/*.so
### Install GeoIP Database for Xtables-addons ###
The next step is to install GeoIP database which will be used by xt_geoip for IP-to-country mapping. Conveniently, the xtables-addons source package comes with two helper scripts for downloading GeoIP database from MaxMind and converting it into a binary form recognized by xt_geoip. These scripts are found in geoip folder inside the source package. Follow the instructions below to build and install GeoIP database on your system.
$ cd geoip
$ ./xt_geoip_dl
$ ./xt_geoip_build GeoIPCountryWhois.csv
$ sudo mkdir -p /usr/share/xt_geoip
$ sudo cp -r {BE,LE} /usr/share/xt_geoip
According to [MaxMind][5], their GeoIP database is 99.8% accurate on a country-level, and the database is updated every month. To keep the locally installed GeoIP database up-to-date, you want to set up a monthly [cron job][6] to refresh the local GeoIP database as often.
### Block Network Traffic Originating from or Destined to a Country ###
Once xt_geoip module and GeoIP database are installed, you can immediately use the geoip match options in iptables command.
$ sudo iptables -m geoip --src-cc country[,country...] --dst-cc country[,country...]
Countries you want to block are specified using [two-letter ISO3166 code][7] (e.g., US (United States), CN (China), IN (India), FR (France)).
For example, if you want to block incoming traffic from Yemen (YE) and Zambia (ZM), the following iptables command will do.
$ sudo iptables -I INPUT -m geoip --src-cc YE,ZM -j DROP
If you want to block outgoing traffic destined to China (CN), run the following command.
$ sudo iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
The matching condition can also be "negated" by prepending "!" to "--src-cc" or "--dst-cc". For example:
If you want to block all incoming non-US traffic on your server, run this:
$ sudo iptables -I INPUT -m geoip ! --src-cc US -j DROP
![](https://c2.staticflickr.com/6/5654/23665427845_050241b03f_c.jpg)
#### For Firewall-cmd Users ####
Some distros such as CentOS/RHEL 7 or Fedora have replaced iptables with firewalld as the default firewall service. On such systems, you can use firewall-cmd to block traffic using xt_geoip similarly. The above three examples can be rewritten with firewall-cmd as follows.
$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m geoip --src-cc YE,ZM -j DROP
$ sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m geoip --dst-cc CN -j DROP
$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m geoip ! --src-cc US -j DROP
### Conclusion ###
In this tutorial, I presented iptables/xt_geoip which is an easy way to filter network packets based on their source/destination countries. This can be a useful arsenal to deploy in your firewall system if needed. As a final word of caution, I should mention that GeoIP-based traffic filtering is not a foolproof way to ban certain countries on your server. GeoIP database is by nature inaccurate/incomplete, and source/destination geography can easily be spoofed using VPN, Tor or any compromised relay hosts. Geography-based filtering can even block legitimate traffic that should not be banned. Understand this limitation before you decide to deploy it in your production environment.
--------------------------------------------------------------------------------
via: http://xmodulo.com/block-network-traffic-by-country-linux.html
作者:[Dan Nanni][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://xmodulo.com/author/nanni
[1]:https://www.archlinux.org/news/dropping-tcp_wrappers-support/
[2]:http://xmodulo.com/block-unwanted-ip-addresses-linux.html
[3]:http://xtables-addons.sourceforge.net/geoip.php
[4]:http://xtables-addons.sourceforge.net/
[5]:https://support.maxmind.com/geoip-faq/geoip2-and-geoip-legacy-databases/how-accurate-are-your-geoip2-and-geoip-legacy-databases/
[6]:http://ask.xmodulo.com/add-cron-job-linux.html
[7]:https://en.wikipedia.org/wiki/ISO_3166-1

105
sources/tech/20151215 How to enable Software Collections (SCL) on CentOS.md Normal file
View File

@ -0,0 +1,105 @@
How to enable Software Collections (SCL) on CentOS
================================================================================
Red Hat Enterprise Linux (RHEL) and its community fork, CentOS, offer 10-year life cycle, meaning that each version of RHEL/CentOS is updated with security patches for up to 10 years. While such long life cycle guarantees much needed system compatibility and reliability for enterprise users, a downside is that core applications and run-time environments grow antiquated as the underlying RHEL/CentOS version becomes close to end-of-life (EOF). For example, CentOS 6.5, whose EOL is dated to November 30th 2020, comes with python 2.6.6 and MySQL 5.1.73, which are already pretty old by today's standard.
On the other hand, attempting to manually upgrade development toolchains and run-time environments on RHEL/CentOS may potentially break your system unless all dependencies are resolved correctly. Under normal circumstances, manual upgrade is not recommended unless you know what you are doing.
The [Software Collections][1] (SCL) repository came into being to help with RHEL/CentOS users in this situation. The SCL is created to provide RHEL/CentOS users with a means to easily and safely install and use multiple (and potentially more recent) versions of applications and run-time environments "without" messing up the existing system. This is in contrast to other third party repositories which could cause conflicts among installed packages.
The latest SCL offers:
- Python 3.3 and 2.7
- PHP 5.4
- Node.js 0.10
- Ruby 1.9.3
- Perl 5.16.3
- MariaDB and MySQL 5.5
- Apache httpd 2.4.6
In the rest of the tutorial, let me show you how to set up the SCL repository and how to install and enable the packages from the SCL.
### Set up the Software Collections (SCL) Repository ###
The SCL is available on CentOS 6.5 and later. To set up the SCL, simply run:
$ sudo yum install centos-release-SCL
To enable and run applications from the SCL, you also need to install the following package.
$ sudo yum install scl-utils-build
You can browse a complete list of packages available from the SCL repository by running:
$ yum --disablerepo="*" --enablerepo="scl" list available
![](https://c2.staticflickr.com/6/5730/23304424250_f5c8a09584_c.jpg)
### Install and Enable a Package from the SCL ###
Now that you have set up the SCL, you can go ahead and install any package from the SCL.
You can search for SCL packages with:
$ yum --disablerepo="*" --enablerepo="scl" search <keyword>
Let's say you want to install python 3.3.
Go ahead and install it as usual with yum:
$ sudo yum install python33
At any time you can check the list of packages you installed from the SCL by running:
$ scl --list
----------
python33
A nice thing about the SCL is that installing a package from the SCL does NOT overwrite any system files, and is guaranteed to not cause any conflicts with other system libraries and applications.
For example, if you check the default python version after installing python33, you will see that the default version is still the same:
$ python --version
----------
Python 2.6.6
If you want to try an installed SCL package, you need to explicitly enable it "on a per-command basis" using scl:
$ scl enable <scl-package-name> <command>
For example, to enable python33 package for python command:
$ scl enable python33 'python --version'
----------
Python 3.3.2
If you want to run multiple commands while enabling python33 package, you can actually create an SCL-enabled bash session as follows.
$ scl enable python33 bash
Within this bash session, the default python will be switched to 3.3 until you type exit and kill the session.
![](https://c2.staticflickr.com/6/5642/23491549632_1d08e163cc_c.jpg)
In short, the SCL is somewhat similar to the virtualenv of Python, but is more general in that you can enable/disable SCL sessions for a far greater number of applications than just Python.
For more detailed instructions on the SCL, refer to the official [quick start guide][2].
--------------------------------------------------------------------------------
via: http://xmodulo.com/enable-software-collections-centos.html
作者:[Dan Nanni][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://xmodulo.com/author/nanni
[1]:https://www.softwarecollections.org/
[2]:https://www.softwarecollections.org/docs/

101
sources/tech/20151215 Linux Desktop Fun--Summon Swarms Of Penguins To Waddle About The Desktop.md Normal file
View File

@ -0,0 +1,101 @@
translation by strugglingyouth
Linux Desktop Fun: Summon Swarms Of Penguins To Waddle About The Desktop
================================================================================
XPenguins is a program for animating cute cartoons animals in your root window. By default it will be penguins they drop in from the top of the screen, walk along the tops of your windows, up the side of your windows, levitate, skateboard, and do other similarly exciting things. Now you can send an army of cute little penguins to invade the screen of someone else on your network.
### Install XPenguins ###
Open a command-line terminal (select Applications > Accessories > Terminal), and then type the following commands to install XPenguins program. First, type the command apt-get update to tell apt to refresh its package information by querying the configured repositories and then install the required program:
$ sudo apt-get update
$ sudo apt-get install xpenguins
### How do I Start XPenguins Locally? ###
Type the following command:
$ xpenguins
Sample outputs:
![An army of cute little penguins invading the screen](http://files.cyberciti.biz/uploads/tips/2011/07/Workspace-1_002_12_07_2011.png)
An army of cute little penguins invading the screen
![Linux: Cute little penguins walking along the tops of your windows](http://files.cyberciti.biz/uploads/tips/2011/07/Workspace-1_001_12_07_2011.png)
Linux: Cute little penguins walking along the tops of your windows
![Xpenguins Screenshot](http://files.cyberciti.biz/uploads/tips/2011/07/xpenguins-screenshot.jpg)
Xpenguins Screenshot
Be careful when you move windows as the little guys squash easily. If you send the program an interupt signal (Ctrl-C) they will burst.
### Themes ###
To list themes, enter:
$ xpenguins -l
Sample outputs:
Big Penguins
Bill
Classic Penguins
Penguins
Turtles
You can use alternative themes as follows:
$ xpenguins --theme "Big Penguins" --theme "Turtles"
You can install additional themes as follows:
$ cd /tmp
$ wget http://xpenguins.seul.org/xpenguins_themes-1.0.tar.gz
$ tar -zxvf xpenguins_themes-1.0.tar.gz
$ mkdir ~/.xpenguins
$ mv -v themes ~/.xpenguins/
$ xpenguins -l
Sample outputs:
Lemmings
Sonic the Hedgehog
The Simpsons
Winnie the Pooh
Worms
Big Penguins
Bill
Classic Penguins
Penguins
Turtles
To start with a random theme, enter:
$ xpenguins --random-theme
To load all available themes and run them simultaneously, enter:
$ xpenguins --all
More links and information:
- [XPenguins][1] home page.
- man penguins
- More Linux / UNIX desktop fun with [Steam Locomotive][2] and [Terminal ASCII Aquarium][3].
--------------------------------------------------------------------------------
via: http://www.cyberciti.biz/tips/linux-cute-little-xpenguins-walk-along-tops-ofyour-windows.html
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://xpenguins.seul.org/
[2]:http://www.cyberciti.biz/tips/displays-animations-when-accidentally-you-type-sl-instead-of-ls.html
[3]:http://www.cyberciti.biz/tips/linux-unix-apple-osx-terminal-ascii-aquarium.html

75
sources/tech/20151215 Linux or UNIX Desktop Fun--Let it Snow On Your Desktop.md Normal file
View File

@ -0,0 +1,75 @@
Linux / UNIX Desktop Fun: Let it Snow On Your Desktop
================================================================================
Feeling lonely this holiday season? Try Xsnow. This little app will let it snow on the Unix / Linux desktop. Santa and his reindeer will complete your festive season feeling with moving snowflakes on your desktop, with Santa Claus running all over the screen.
I first installed this 13 or 14 years ago. It was was originally created for Macintosh systems in 1984. You can install it as follows:
### Install xsnow ###
Debian / Ubuntu / Mint users type the following command:
$ sudo apt-get install xsnow
Freebsd users type the following command to install the same:
# cd /usr/ports/x11/xsnow/
# make install clean
OR, try to add the package:
# pkg_add -r xsnow
#### A Note About Other Distros ####
1. Fedora / RHEL / CentOS Linux desktop users may find the package using [rpmfusion][1] repo.
1. Gentoo user try Gentoo portage i.e. [emerge -p xsnow][2]
1. OpenSuse Linux user try Yast and search for xsnow.
### How Do I Use xsnow? ###
Open a command-line terminal (select Applications > Accessories > Terminal), and then type the following to starts xsnow:
$ xsnow
Sample outputs:
![Fig.01: Snow for your Linux and Unix desktop systems](http://files.cyberciti.biz/uploads/tips/2011/12/application-to-bring-snow-to-desktop_small.png)
Fig.01: Snow for your Linux and Unix desktop systems
You can set the background to a blue color and lets it snow white, type:
$ xsnow -bg blue -sc snow
To set the maximum number of snowflakes and runs as fast as possible, type:
$ xsnow -snowflakes 10000 -delay 0
Do not display the trees and Santa Claus running all over the screen, enter:
$ xsnow -notrees -nosanta
For more information about xsnow and other options, please see the manual page by typing man xsnow from the command line:
$ man xsnow
Recommended readings:
- [Download Xsnow][1] from the official site.
- Please note that [MS-Windows][2] and [Mac OS X version][3] attracts one time shareware fee.
--------------------------------------------------------------------------------
via: http://www.cyberciti.biz/tips/linux-unix-xsnow.html
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://rpmfusion.org/Configuration
[2]:http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
[3]:http://dropmix.xs4all.nl/rick/Xsnow/
[4]:http://dropmix.xs4all.nl/rick/WinSnow/
[5]:http://dropmix.xs4all.nl/rick/MacOSXSnow/

39
sources/tech/20151215 Linux or UNIX Desktop Fun--Steam Locomotive.md Normal file
View File

@ -0,0 +1,39 @@
Linux / UNIX Desktop Fun: Steam Locomotive
================================================================================
One of the most [common mistake][1] is typing sl instead of ls command. I actually set [an alias][2] i.e. alias sl=ls; but then you may miss out the steam train with whistle.
sl is a joke software or classic UNIX game. It is a steam locomotive runs across your screen if you type "sl" (Steam Locomotive) instead of "ls" by mistake.
### Install sl ###
Type the following command under Debian / Ubuntu Linux, enter:
# apt-get install sl
It is also available on FreeBSD and other UNIX like operating systems. Next, mistyped ls command as sl:
$ sl
![Fig.01: Run steam locomotive across the screen if you type "sl" instead of "ls"](http://files.cyberciti.biz/uploads/tips/2011/05/sl_command_steam_locomotive.png)
Fig.01: Run steam locomotive across the screen if you type "sl" instead of "ls"
It also supports the following options:
- **-a** : An accident seems to happen. You'll feel pity for people who cry for help.
- **-l** : shows little one.
- **-F** : It flies.
- **-e** : Allow interrupt by Ctrl+C.
--------------------------------------------------------------------------------
via: http://www.cyberciti.biz/tips/displays-animations-when-accidentally-you-type-sl-instead-of-ls.html
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://www.cyberciti.biz/tips/my-10-unix-command-line-mistakes.html
[2]:http://bash.cyberciti.biz/guide/Create_and_use_aliases

64
sources/tech/20151215 Linux or UNIX Desktop Fun--Terminal ASCII Aquarium.md Normal file
View File

@ -0,0 +1,64 @@
Linux / UNIX Desktop Fun: Terminal ASCII Aquarium
================================================================================
You can now enjoy mysteries of the sea from the safety of your own terminal using ASCIIQuarium. It is an aquarium/sea animation in ASCII art created using perl.
### Install Term::Animation ###
First, you need to install Perl module called Term-Animation. Open a command-line terminal (select Applications > Accessories > Terminal), and then type:
$ sudo apt-get install libcurses-perl
$ cd /tmp
$ wget http://search.cpan.org/CPAN/authors/id/K/KB/KBAUCOM/Term-Animation-2.4.tar.gz
$ tar -zxvf Term-Animation-2.4.tar.gz
$ cd Term-Animation-2.4/
$ perl Makefile.PL && make && make test
$ sudo make install
### Download and Install ASCIIQuarium ###
While still at bash prompt, type:
$ cd /tmp
$ wget http://www.robobunny.com/projects/asciiquarium/asciiquarium.tar.gz
$ tar -zxvf asciiquarium.tar.gz
$ cd asciiquarium_1.0/
$ sudo cp asciiquarium /usr/local/bin
$ sudo chmod 0755 /usr/local/bin/asciiquarium
### How do I view my ASCII Aquarium? ###
Simply type the following command:
$ /usr/local/bin/asciiquarium
OR
$ perl /usr/local/bin/asciiquarium
![Fig.01: ASCII Aquarium](http://s0.cyberciti.org/uploads/tips/2011/01/screenshot-ASCIIQuarium.png)
### Related media ###
youtube 视频
<iframe width="596" height="335" frameborder="0" allowfullscreen="" src="//www.youtube.com/embed/MzatWgu67ok"></iframe>
[Video 01: ASCIIQuarium - Sea Animation on Linux / Unix Desktop][1]
### Download: erminal ASCII Aquarium KDE and Mac OS X Version ###
[Download asciiquarium][2]. If you're running Mac OS X, try a packaged [version][3] that will run out of the box. For KDE users, try a [KDE Screensaver][4] based on the Asciiquarium.
--------------------------------------------------------------------------------
via: http://www.cyberciti.biz/tips/linux-unix-apple-osx-terminal-ascii-aquarium.html
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://youtu.be/MzatWgu67ok
[2]:http://www.robobunny.com/projects/asciiquarium/html/
[3]:http://habilis.net/macasciiquarium/
[4]:http://kde-look.org/content/show.php?content=29207

89
sources/tech/20151215 Linux or Unix Desktop Fun--Cat And Mouse Chase All Over Your Screen.md Normal file
View File

@ -0,0 +1,89 @@
Linux / Unix Desktop Fun: Cat And Mouse Chase All Over Your Screen
================================================================================
Oneko is a little fun app. It will change your cursor into mouse and creates a little cute cat and the cat start chasing around your mouse cursor. The word "neko" means "cat" in Japanese and it was originally written by a Japanese author as a Macintosh desktop accessory.
### Install oneko ###
Type the following command:
$ sudo apt-get install oneko
Sample outputs:
[sudo] password for vivek:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
oneko
0 upgraded, 1 newly installed, 0 to remove and 10 not upgraded.
Need to get 38.6 kB of archives.
After this operation, 168 kB of additional disk space will be used.
Get:1 http://debian.osuosl.org/debian/ squeeze/main oneko amd64 1.2.sakura.6-7 [38.6 kB]
Fetched 38.6 kB in 1s (25.9 kB/s)
Selecting previously deselected package oneko.
(Reading database ... 274152 files and directories currently installed.)
Unpacking oneko (from .../oneko_1.2.sakura.6-7_amd64.deb) ...
Processing triggers for menu ...
Processing triggers for man-db ...
Setting up oneko (1.2.sakura.6-7) ...
Processing triggers for menu ...
FreeBSD unix user type the following command to install oneko:
# cd /usr/ports/games/oneko
# make install clean
### How do I use oneko? ###
Simply type the following command:
$ oneko
You can make cat into "tora-neko", a cat wite tiger-like stripe:
$ oneko -tora
### Not a cat person? ###
You can run a dog instead of a cat:
$ oneko -dog
The followin will runs Sakura Kinomoto instead of a cat:
$ oneko -sakura
Runs Tomoyo Daidouji instead of a cat:
$ oneko -tomoyo
### Check out related media ###
This tutorial also available in video format:
youtube 视频
<iframe width="596" height="335" frameborder="0" allowfullscreen="" src="http://www.youtube.com/embed/Nm3SkXThL0s"></iframe>
(Video.01: Demo - Install and use oneko under Linux)
### Other options ###
You can pass the following options:
1. **-tofocus** : Makes cat run to and on top of focus window. When focus window is not in sight, cat chases mouse as usually.
1. **-position geometry** : Specify X and Y offsets in pixels to adjust position of cat relative to mouse pointer./li>
1. **-rv** : Reverse background color and foreground color.
1. **-fg color** : Foreground color (e.g., oneko -dog -fg red).
1. **-bg color** : Background color (e.g., oneko -dog -bg green).
1. See oneko man page for more information.
--------------------------------------------------------------------------------
via: http://www.cyberciti.biz/open-source/oneko-app-creates-cute-cat-chasing-around-your-mouse/
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

201
sources/tech/20151215 Linux or Unix Desktop Fun--Text Mode ASCII-art Box and Comment Drawing.md Normal file
View File

@ -0,0 +1,201 @@
Linux / Unix Desktop Fun: Text Mode ASCII-art Box and Comment Drawing
================================================================================
Boxes command is a text filter and a little known tool that can draw any kind of ASCII art box around its input text or code for fun and profit. You can quickly create email signatures, or create regional comments in any programming language. This command was intended to be used with the vim text editor, but can be tied to any text editor which supports filters, as well as from the command line as a standalone tool.
### Task: Install boxes ###
Use the [apt-get command][1] to install boxes under Debian / Ubuntu Linux:
$ sudo apt-get install boxes
Sample outputs:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
boxes
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 0 B/59.8 kB of archives.
After this operation, 205 kB of additional disk space will be used.
Selecting previously deselected package boxes.
(Reading database ... 224284 files and directories currently installed.)
Unpacking boxes (from .../boxes_1.0.1a-2.3_amd64.deb) ...
Processing triggers for man-db ...
Setting up boxes (1.0.1a-2.3) ...
RHEL / CentOS / Fedora Linux users, use the [yum command to install boxes][2] (first [enable EPEL repo as described here][3]):
# yum install boxes
Sample outputs:
Loaded plugins: rhnplugin
Setting up Install Process
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package boxes.x86_64 0:1.1-8.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================
Package Arch Version Repository Size
==========================================================================
Installing:
boxes x86_64 1.1-8.el6 epel 64 k
Transaction Summary
==========================================================================
Install 1 Package(s)
Total download size: 64 k
Installed size: 151 k
Is this ok [y/N]: y
Downloading Packages:
boxes-1.1-8.el6.x86_64.rpm | 64 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : boxes-1.1-8.el6.x86_64 1/1
Installed:
boxes.x86_64 0:1.1-8.el6
Complete!
FreeBSD user can use the port as follows:
cd /usr/ports/misc/boxes/ && make install clean
Or, add the package using the pkg_add command:
# pkg_add -r boxes
### Draw any kind of box around some given text ###
Type the following command:
echo "This is a test" | boxes
Or specify the name of the design to use:
echo -e "\n\tVivek Gite\n\tvivek@nixcraft.com\n\twww.cyberciti.biz" | boxes -d dog
Sample outputs:
![Unix / Linux: Boxes Command To Draw Various Designs](http://s0.cyberciti.org/uploads/l/tips/2012/06/unix-linux-boxes-draw-dog-design.png)
Fig.01: Unix / Linux: Boxes Command To Draw Various Designs
#### How do I list all designs? ####
The syntax is:
boxes option
pipe | boxes options
echo "text" | boxes -d foo
boxes -l
The -d design option sets the name of the design to use. The syntax is:
echo "Text" | boxes -d design
pipe | boxes -d desig
The -l option list designs. It produces a listing of all available box designs in the config file, along with a sample box and information about it's creator:
boxes -l
boxes -l | more
boxes -l | less
Sample outputs:
43 Available Styles in "/etc/boxes/boxes-config":
-------------------------------------------------
ada-box (Neil Bird ):
---------------
-- --
-- --
---------------
ada-cmt (Neil Bird ):
--
-- regular Ada
-- comments
--
boy (Joan G. Stark ):
.-"""-.
/ .===. \
\/ 6 6 \/
( \___/ )
_________ooo__\_____/______________
/ \
| joan stark spunk1111@juno.com |
| VISIT MY ASCII ART GALLERY: |
| http://www.geocities.com/SoHo/7373/ |
\_______________________ooo_________/ jgs
| | |
|_ | _|
| | |
|__|__|
/-'Y'-\
(__/ \__)
....
...
output truncated
..
### How do I filter text via boxes while using vi/vim text editor? ###
You can use any external command with vi or vim. In this example, [insert current date and time][4], enter:
!!date
OR
:r !date
You need to type above command in Vim to read the output from the date command. This will insert the date and time after the current line:
Tue Jun 12 00:05:38 IST 2012
You can do the same with boxes command. Create a sample shell script or a c program as follows:
#!/bin/bash
Purpose: Backup mysql database to remote server.
Author: Vivek Gite
Last updated on: Tue Jun, 12 2012
Now type the following (move cursor to the second line i.e. line which starts with "Purpose: ...")
3!!boxes
And voila you will get the output as follows:
#!/bin/bash
/****************************************************/
/* Purpose: Backup mysql database to remote server. */
/* Author: Vivek Gite */
/* Last updated on: Tue Jun, 12 2012 */
/****************************************************/
This video will give you an introduction to boxes command:
youtube 视频
<iframe width="595" height="446" frameborder="0" src="http://www.youtube.com/embed/glzXjNvrYOc?rel=0"></iframe>
(Video:01: boxes command in action. BTW, this is my first video so go easy on me and let me know what you think.)
See also
- boxes man page
--------------------------------------------------------------------------------
via: http://www.cyberciti.biz/tips/unix-linux-draw-any-kind-of-boxes-around-text-editor.html
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html
[2]:http://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/
[3]:http://www.cyberciti.biz/faq/fedora-sl-centos-redhat6-enable-epel-repo/
[4]:http://www.cyberciti.biz/faq/vim-inserting-current-date-time-under-linux-unix-osx/

497
sources/tech/20151215 Securi-Pi--Using the Raspberry Pi as a Secure Landing Point.md Normal file
View File

@ -0,0 +1,497 @@
Securi-Pi: Using the Raspberry Pi as a Secure Landing Point
================================================================================
Like many LJ readers these days, I've been leading a bit of a techno-nomadic lifestyle as of the past few years—jumping from network to network, access point to access point, as I bounce around the real world while maintaining my connection to the Internet and other networks I use on a daily basis. As of late, I've found that more and more networks are starting to block outbound ports like SMTP (port 25), SSH (port 22) and others. It becomes really frustrating when you drop into a local coffee house expecting to be able to fire up your SSH client and get a few things done, and you can't, because the network's blocking you.
However, I have yet to run across a network that blocks HTTPS outbound (port 443). After a bit of fiddling with a Raspberry Pi 2 I have at home, I was able to get a nice clean solution that lets me hit various services on the Raspberry Pi via port 443—allowing me to walk around blocked ports and hobbled networks so I can do the things I need to do. In a nutshell, I have set up this Raspberry Pi to act as an OpenVPN endpoint, SSH endpoint and Apache server—with all these services listening on port 443 so networks with restrictive policies aren't an issue.
### Notes
This solution will work on most networks, but firewalls that do deep packet inspection on outbound traffic still can block traffic that's tunneled using this method. However, I haven't been on a network that does that...yet. Also, while I use a lot of cryptography-based solutions here (OpenVPN, HTTPS, SSH), I haven't done a strict security audit of this setup. DNS may leak information, for example, and there may be other things I haven't thought of. I'm not recommending this as a way to hide all your traffic—I just use this so that I can connect to the Internet in an unfettered way when I'm out and about.
### Getting Started
Let's start off with what you need to put this solution together. I'm using this on a Raspberry Pi 2 at home, running the latest Raspbian, but this should work just fine on a Raspberry Pi Model B, as well. It fits within the 512MB of RAM footprint quite easily, although performance may be a bit slower, because the Raspberry Pi Model B has a single-core CPU as opposed to the Pi 2's quad-core. My Raspberry Pi 2 is behind my home's router/firewall, so I get the added benefit of being able to access my machines at home. This also means that any traffic I send to the Internet appears to come from my home router's IP address, so this isn't a solution designed to protect anonymity. If you don't have a Raspberry Pi, or don't want this running out of your home, it's entirely possible to run this out of a small cloud server too. Just make sure that the server's running Debian or Ubuntu, as these instructions are targeted at Debian-based distributions.
![](http://www.linuxjournal.com/files/linuxjournal.com/ufiles/imagecache/large-550px-centered/u1002061/11913f1.jpg)
Figure 1. The Raspberry Pi, about to become an encrypted network endpoint.
### Installing and Configuring BIND
Once you have your platform up and running—whether it's a Raspberry Pi or otherwise—next you're going to install BIND, the nameserver that powers a lot of the Internet. You're going to install BIND as a caching nameserver only, and not have it service incoming requests from the Internet. Installing BIND will give you a DNS server to point your OpenVPN clients at, once you get to the OpenVPN step. Installing BIND is easy; it's just a simple `apt-get `command to install it:
```
root@test:~# apt-get install bind9
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
bind9utils
Suggested packages:
bind9-doc resolvconf ufw
The following NEW packages will be installed:
bind9 bind9utils
0 upgraded, 2 newly installed, 0 to remove and
↪0 not upgraded.
Need to get 490 kB of archives.
After this operation, 1,128 kB of additional disk
↪space will be used.
Do you want to continue [Y/n]? y
```
There are a couple minor configuration changes that need to be made to one of the config files of BIND before it can operate as a caching nameserver. Both changes are in `/etc/bind/named.conf.options`. First, you're going to uncomment the "forwarders" section of this file, and you're going to add a nameserver on the Internet to which to forward requests. In this case, I'm going to add Google's DNS (8.8.8.8). The "forwarders" section of the file should look like this:
```
forwarders {
8.8.8.8;
};
```
The second change you're going to make allows queries from your internal network and localhost. Simply add this line to the bottom of the configuration file, right before the `}`; that ends the file:
```
allow-query { 192.168.1.0/24; 127.0.0.0/16; };
```
That line above allows this DNS server to be queried from the network it's on (in this case, my network behind my firewall) and localhost. Next, you just need to restart BIND:
```
root@test:~# /etc/init.d/bind9 restart
[....] Stopping domain name service...: bind9waiting
↪for pid 13209 to die
. ok
[ ok ] Starting domain name service...: bind9.
```
Now you can test `nslookup` to make sure your server works:
```
root@test:~# nslookup
> server localhost
Default server: localhost
Address: 127.0.0.1#53
> www.google.com
Server: localhost
Address: 127.0.0.1#53
Non-authoritative answer:
Name: www.google.com
Address: 173.194.33.176
Name: www.google.com
Address: 173.194.33.177
Name: www.google.com
Address: 173.194.33.178
Name: www.google.com
Address: 173.194.33.179
Name: www.google.com
Address: 173.194.33.180
```
That's it! You've got a working nameserver on this machine. Next, let's move on to OpenVPN.
### Installing and Configuring OpenVPN
OpenVPN is an open-source VPN solution that relies on SSL/TLS for its key exchange. It's also easy to install and get working under Linux. Configuration of OpenVPN can be a bit daunting, but you're not going to deviate from the default configuration by much. To start, you're going to run an apt-get command and install OpenVPN:
```
root@test:~# apt-get install openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
liblzo2-2 libpkcs11-helper1
Suggested packages:
resolvconf
The following NEW packages will be installed:
liblzo2-2 libpkcs11-helper1 openvpn
0 upgraded, 3 newly installed, 0 to remove and
↪0 not upgraded.
Need to get 621 kB of archives.
After this operation, 1,489 kB of additional disk
↪space will be used.
Do you want to continue [Y/n]? y
```
Now that OpenVPN is installed, you're going to configure it. OpenVPN is SSL-based, and it relies on both server and client certificates to work. To generate these certificates, you need to configure a Certificate Authority (CA) on the machine. Luckily, OpenVPN ships with some wrapper scripts known as "easy-rsa" that help to bootstrap this process. You'll start by making a directory on the filesystem for the easy-rsa scripts to reside in and by copying the scripts from the template directory there:
```
root@test:~# mkdir /etc/openvpn/easy-rsa
root@test:~# cp -rpv
↪/usr/share/doc/openvpn/examples/easy-rsa/2.0/*
↪/etc/openvpn/easy-rsa/
```
Next, copy the vars file to a backup copy:
```
root@test:/etc/openvpn/easy-rsa# cp vars vars.bak
```
Now, edit vars so it's got information pertinent to your installation. I'm going specify only the lines that need to be edited, with sample data, below:
```
KEY_SIZE=4096
KEY_COUNTRY="US"
KEY_PROVINCE="CA"
KEY_CITY="Silicon Valley"
KEY_ORG="Linux Journal"
KEY_EMAIL="bill.childers@linuxjournal.com"
```
The next step is to source the vars file, so that the environment variables in the file are in your current environment:
```
root@test:/etc/openvpn/easy-rsa# source ./vars
NOTE: If you run ./clean-all, I will be doing a
↪rm -rf on /etc/openvpn/easy-rsa/keys
```
### Building the Certificate Authority
You're now going to run clean-all to ensure a clean working environment, and then you're going to build the CA. Note that I'm changing changeme prompts to something that's appropriate for this installation:
```
root@test:/etc/openvpn/easy-rsa# ./clean-all
root@test:/etc/openvpn/easy-rsa# ./build-ca
Generating a 4096 bit RSA private key
...................................................++
...................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that
will be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some
blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Silicon Valley]:
Organization Name (eg, company) [Linux Journal]:
Organizational Unit Name (eg, section)
↪[changeme]:SecTeam
Common Name (eg, your name or your server's hostname)
↪[changeme]:test.linuxjournal.com
Name [changeme]:test.linuxjournal.com
Email Address [bill.childers@linuxjournal.com]:
```
### Building the Server Certificate
Once the CA is created, you need to build the OpenVPN server certificate:
```root@test:/etc/openvpn/easy-rsa#
↪./build-key-server test.linuxjournal.com
Generating a 4096 bit RSA private key
...................................................++
writing new private key to 'test.linuxjournal.com.key'
-----
You are about to be asked to enter information that
will be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some
blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Silicon Valley]:
Organization Name (eg, company) [Linux Journal]:
Organizational Unit Name (eg, section)
↪[changeme]:SecTeam
Common Name (eg, your name or your server's hostname)
↪[test.linuxjournal.com]:
Name [changeme]:test.linuxjournal.com
Email Address [bill.childers@linuxjournal.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from
↪/etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'Silicon Valley'
organizationName :PRINTABLE:'Linux Journal'
organizationalUnitName:PRINTABLE:'SecTeam'
commonName :PRINTABLE:'test.linuxjournal.com'
name :PRINTABLE:'test.linuxjournal.com'
emailAddress
↪:IA5STRING:'bill.childers@linuxjournal.com'
Certificate is to be certified until Sep 1
↪06:23:59 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
```
The next step may take a while—building the Diffie-Hellman key for the OpenVPN server. This takes several minutes on a conventional desktop-grade CPU, but on the ARM processor of the Raspberry Pi, it can take much, much longer. Have patience, as long as the dots in the terminal are proceeding, the system is building its Diffie-Hellman key (note that many dots are snipped in these examples):
```
root@test:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 4096 bit long safe prime,
↪generator 2
This is going to take a long time
....................................................+
<snipped out many more dots>
```
### Building the Client Certificate
Now you're going to generate a client key for your client to use when logging in to the OpenVPN server. OpenVPN is typically configured for certificate-based auth, where the client presents a certificate that was issued by an approved Certificate Authority:
```
root@test:/etc/openvpn/easy-rsa# ./build-key
↪bills-computer
Generating a 4096 bit RSA private key
...................................................++
...................................................++
writing new private key to 'bills-computer.key'
-----
You are about to be asked to enter information that
will be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN. There are quite a few
fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Silicon Valley]:
Organization Name (eg, company) [Linux Journal]:
Organizational Unit Name (eg, section)
↪[changeme]:SecTeam
Common Name (eg, your name or your server's hostname)
↪[bills-computer]:
Name [changeme]:bills-computer
Email Address [bill.childers@linuxjournal.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from
↪/etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'Silicon Valley'
organizationName :PRINTABLE:'Linux Journal'
organizationalUnitName:PRINTABLE:'SecTeam'
commonName :PRINTABLE:'bills-computer'
name :PRINTABLE:'bills-computer'
emailAddress
↪:IA5STRING:'bill.childers@linuxjournal.com'
Certificate is to be certified until
↪Sep 1 07:35:07 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified,
↪commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@test:/etc/openvpn/easy-rsa#
```
Now you're going to generate an HMAC code as a shared key to increase the security of the system further:
```
root@test:~# openvpn --genkey --secret
↪/etc/openvpn/easy-rsa/keys/ta.key
```
### Configuration of the Server
Finally, you're going to get to the meat of configuring the OpenVPN server. You're going to create a new file, /etc/openvpn/server.conf, and you're going to stick to a default configuration for the most part. The main change you're going to do is to set up OpenVPN to use TCP rather than UDP. This is needed for the next major step to work—without OpenVPN using TCP for its network communication, you can't get things working on port 443. So, create a new file called /etc/openvpn/server.conf, and put the following configuration in it: Garrick, shrink below.
```
port 1194
proto tcp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/test.linuxjournal.com.crt ## or whatever
↪your hostname was
key easy-rsa/keys/test.linuxjournal.com.key ## Hostname key
↪- This file should be kept secret
management localhost 7505
dh easy-rsa/keys/dh4096.pem
tls-auth /etc/openvpn/certs/ta.key 0
server 10.8.0.0 255.255.255.0 # The server will use this
↪subnet for clients connecting to it
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp" # Forces clients
↪to redirect all traffic through the VPN
push "dhcp-option DNS 192.168.1.1" # Tells the client to
↪use the DNS server at 192.168.1.1 for DNS -
↪replace with the IP address of the OpenVPN
↪machine and clients will use the BIND
↪server setup earlier
keepalive 30 240
comp-lzo # Enable compression
persist-key
persist-tun
status openvpn-status.log
verb 3
```
And last, you're going to enable IP forwarding on the server, configure OpenVPN to start on boot and start the OpenVPN service:
```
root@test:/etc/openvpn/easy-rsa/keys# echo
↪"net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
root@test:/etc/openvpn/easy-rsa/keys# sysctl -p
↪/etc/sysctl.conf
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
root@test:/etc/openvpn/easy-rsa/keys# update-rc.d
↪openvpn defaults
update-rc.d: using dependency based boot sequencing
root@test:/etc/openvpn/easy-rsa/keys#
↪/etc/init.d/openvpn start
[ ok ] Starting virtual private network daemon:.
```
### Setting Up OpenVPN Clients
Your client installation depends on the host OS of your client, but you'll need to copy your client certs and keys created above to your client, and you'll need to import those certificates and create a configuration for that client. Each client and client OS does it slightly differently and documenting each one is beyond the scope of this article, so you'll need to refer to the documentation for that client to get it running. Refer to the Resources section for OpenVPN clients for each major OS.
### Installing SSLH—the "Magic" Protocol Multiplexer
The really interesting piece of this solution is SSLH. SSLH is a protocol multiplexer—it listens on port 443 for traffic, and then it can analyze whether the incoming packet is an SSH packet, HTTPS or OpenVPN, and it can forward that packet onto the proper service. This is what enables this solution to bypass most port blocks—you use the HTTPS port for all of this traffic, since HTTPS is rarely blocked.
To start, `apt-get` install SSLH:
```
root@test:/etc/openvpn/easy-rsa/keys# apt-get
↪install sslh
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
apache2 apache2-mpm-worker apache2-utils
↪apache2.2-bin apache2.2-common
libapr1 libaprutil1 libaprutil1-dbd-sqlite3
↪libaprutil1-ldap libconfig9
Suggested packages:
apache2-doc apache2-suexec apache2-suexec-custom
↪openbsd-inetd inet-superserver
The following NEW packages will be installed:
apache2 apache2-mpm-worker apache2-utils
↪apache2.2-bin apache2.2-common
libapr1 libaprutil1 libaprutil1-dbd-sqlite3
↪libaprutil1-ldap libconfig9 sslh
0 upgraded, 11 newly installed, 0 to remove
↪and 0 not upgraded.
Need to get 1,568 kB of archives.
After this operation, 5,822 kB of additional
↪disk space will be used.
Do you want to continue [Y/n]? y
```
After SSLH is installed, the package installer will ask you if you want to run it in inetd or standalone mode. Select standalone mode, because you want SSLH to run as its own process. If you don't have Apache installed, the Debian/Raspbian package of SSLH will pull it in automatically, although it's not strictly required. If you already have Apache running and configured, you'll want to make sure it only listens on localhost's interface and not all interfaces (otherwise, SSLH can't start because it can't bind to port 443). After installation, you'll receive an error that looks like this:
```
[....] Starting ssl/ssh multiplexer: sslhsslh disabled,
↪please adjust the configuration to your needs
[FAIL] and then set RUN to 'yes' in /etc/default/sslh
↪to enable it. ... failed!
failed!
```
This isn't an error, exactly—it's just SSLH telling you that it's not configured and can't start. Configuring SSLH is pretty simple. Its configuration is stored in `/etc/default/sslh`, and you just need to configure the `RUN` and `DAEMON_OPTS` variables. My SSLH configuration looks like this:
```
# Default options for sslh initscript
# sourced by /etc/init.d/sslh
# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)
RUN=yes
# binary to use: forked (sslh) or single-thread
↪(sslh-select) version
DAEMON=/usr/sbin/sslh
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh
↪127.0.0.1:22 --ssl 127.0.0.1:443 --openvpn
↪127.0.0.1:1194 --pidfile /var/run/sslh/sslh.pid"
```
Save the file and start SSLH:
```
root@test:/etc/openvpn/easy-rsa/keys#
↪/etc/init.d/sslh start
[ ok ] Starting ssl/ssh multiplexer: sslh.
```
Now, you should be able to ssh to port 443 on your Raspberry Pi, and have it forward via SSLH:
```
$ ssh -p 443 root@test.linuxjournal.com
root@test:~#
```
SSLH is now listening on port 443 and can direct traffic to SSH, Apache or OpenVPN based on the type of packet that hits it. You should be ready to go!
### Conclusion
Now you can fire up OpenVPN and set your OpenVPN client configuration to port 443, and SSLH will route it to the OpenVPN server on port 1194. But because you're talking to your server on port 443, your VPN traffic won't get blocked. Now you can land at a strange coffee shop, in a strange town, and know that your Internet will just work when you fire up your OpenVPN and point it at your Raspberry Pi. You'll also gain some encryption on your link, which will improve the privacy of your connection. Enjoy surfing the Net via your new landing point!
Resources
Installing and Configuring OpenVPN: [https://wiki.debian.org/OpenVPN](https://wiki.debian.org/OpenVPN) and [http://cryptotap.com/articles/openvpn](http://cryptotap.com/articles/openvpn)
OpenVPN client downloads: [https://openvpn.net/index.php/open-source/downloads.html](https://openvpn.net/index.php/open-source/downloads.html)
OpenVPN Client for iOS: [https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8](https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8)
OpenVPN Client for Android: [https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en](https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en)
Tunnelblick for Mac OS X (OpenVPN client): [https://tunnelblick.net](https://tunnelblick.net)
SSLH—Protocol Multiplexer: [http://www.rutschle.net/tech/sslh.shtml](http://www.rutschle.net/tech/sslh.shtml) and [https://github.com/yrutschle/sslh](https://github.com/yrutschle/sslh)
----------
via: http://www.linuxjournal.com/content/securi-pi-using-raspberry-pi-secure-landing-point?page=0,0
作者:[Bill Childers][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.linuxjournal.com/users/bill-childers

121
sources/tech/Learn with Linux/Learn with Linux--Learning to Type.md
View File

@ -1,121 +0,0 @@
Learn with Linux: Learning to Type
================================================================================
![](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-featured.png)
This article is part of the [Learn with Linux][1] series:
- [Learn with Linux: Learning to Type][2]
- [Learn with Linux: Physics Simulation][3]
- [Learn with Linux: Learning Music][4]
- [Learn with Linux: Two Geography Apps][5]
- [Learn with Linux: Master Your Math with These Linux Apps][6]
Linux offers great educational software and many excellent tools to aid students of all grades and ages in learning and practicing a variety of topics, often interactively. The “Learn with Linux” series of articles offers an introduction to a variety of educational apps and software.
Typing is taken for granted by many people; today being keyboard savvy often comes as second nature. Yet how many of us still type with two fingers, even if ever so fast? Once typing was taught in schools, but slowly the art of ten-finger typing is giving way to two thumbs.
The following two applications can help you master the keyboard so that your next thought does not get lost while your fingers catch up. They were chosen for their simplicity and ease of use. While there are some more flashy or better looking typing apps out there, the following two will get the basics covered and offer the easiest way to start out.
### TuxType (or TuxTyping) ###
TuxType is for children. Young students can learn how to type with ten fingers with simple lessons and practice their newly-acquired skills in fun games.
Debian and derivatives (therefore all Ubuntu derivatives) should have TuxType in their standard repositories. To install simply type
sudo apt-get install tuxtype
The application starts with a simple menu screen featuring Tux and some really bad midi music (Fortunately the sound can be turned off easily with the icon in the lower left corner.).
![learntotype-tuxtyping-main](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-main.jpg)
The top two choices, “Fish Cascade” and “Comet Zap,” represent typing games, but to start learning you need to head over to the lessons.
There are forty simple built-in lessons to choose from. Each one of these will take a letter from the keyboard and make the student practice while giving visual hints, such as which finger to use.
![learntotype-tuxtyping-exd1](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-exd1.jpg)
![learntotype-tuxtyping-exd2](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-exd2.jpg)
For more advanced practice, phrase typing is also available, although for some reason this is hidden under the options menu.
![learntotype-tuxtyping-phrase](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-phrase.jpg)
The games are good for speed and accuracy as the player helps Tux catch falling fish
![learntotype-tuxtyping-fish](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-fish.jpg)
or zap incoming asteroids by typing the words written over them.
![learntotype-tuxtyping-zap](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-zap.jpg)
Besides being a fun way to practice, these games teach spelling, speed, and eye-to-hand coordination, as you must type while also watching the screen, building a foundation for touch typing, if taken seriously.
### GNU typist (gtype) ###
For adults and more experienced typists, there is GNU Typist, a console-based application developed by the GNU project.
GNU Typist will also be carried by most Debian derivatives main repos. Installing it is as easy as typing
sudo apt-get install gtype
You will probably not find it in the Applications menu; insteaad you should start it from a terminal window.
gtype
The main menu is simple, no-nonsense and frill-free, yet it is evident how much the software has to offer. Typing lessons of all levels are immediately accessible.
![learntotype-gtype-main](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-main.png)
The lessons are straightforward and detailed.
![learntotype-gtype-lesson](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-lesson.png)
The interactive practice sessions offer little more than highlighting your mistakes. Instead of flashy visuals you have to chance to focus on practising. At the end of each lesson you get some simple statistics of how youve been doing. If you make too many mistakes, you cannot proceed until you can pass the level.
![learntotype-gtype-mistake](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-mistake.png)
While the basic lessons only require you to repeat some characters, more advanced drills will have the practitioner type either whole sentences,
![learntotype-gtype-warmup](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-warmup.png)
where of course the three percent error margin means you are allowed even fewer mistakes,
![learntotype-gtype-warmupfail](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-warmupfail.png)
or some drills aiming to achieve certain goals, as in the “Balanced keyboard drill.”
![learntotype-gtype-balanceddrill](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-balanceddrill.png)
Simple speed drills have you type quotes,
![learntotype-gtype-speed-simple](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-speed-simple.png)
while more advanced ones will make you write longer texts taken from classics.
![learntotype-gtype-speed-advanced](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-speed-advanced.png)
If youd prefer a different language, more lessons can also be loaded as command line arguments.
![learntotype-gtype-more-lessons](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-more-lessons.png)
### Conclusion ###
If you care to hone your typing skills, Linux has great software to offer. The two basic, yet feature-rich, applications discussed above will cater to most aspiring typists needs. If you use or know of another great typing application, please dont hesitate to let us know below in the comments.
--------------------------------------------------------------------------------
via: https://www.maketecheasier.com/learn-to-type-in-linux/
作者:[Attila Orosz][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.maketecheasier.com/author/attilaorosz/
[1]:https://www.maketecheasier.com/series/learn-with-linux/
[2]:https://www.maketecheasier.com/learn-to-type-in-linux/
[3]:https://www.maketecheasier.com/linux-physics-simulation/
[4]:https://www.maketecheasier.com/linux-learning-music/
[5]:https://www.maketecheasier.com/linux-geography-apps/
[6]:https://www.maketecheasier.com/learn-linux-maths/

103
sources/tech/Learn with Linux/Learn with Linux--Two Geography Apps.md
View File

@ -1,103 +0,0 @@
Learn with Linux: Two Geography Apps
================================================================================
![](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-featured.png)
This article is part of the [Learn with Linux][1] series:
- [Learn with Linux: Learning to Type][2]
- [Learn with Linux: Physics Simulation][3]
- [Learn with Linux: Learning Music][4]
- [Learn with Linux: Two Geography Apps][5]
- [Learn with Linux: Master Your Math with These Linux Apps][6]
Linux offers great educational software and many excellent tools to aid students of all grades and ages in learning and practicing a variety of topics, often interactively. The “Learn with Linux” series of articles offers an introduction to a variety of educational apps and software.
Geography is an interesting subject, used by many of us day to day, often without realizing. But when you fire up GPS, SatNav, or just Google maps, you are using the geographical data provided by this software with the maps drawn by cartographists. When you hear about a certain country in the news or hear financial data being recited, these all fall under the umbrella of geography. And you have some great Linux software to study and practice these, whether it is for school or your own improvement.
### Kgeography ###
There are only two geography-related applications readily available in most Linux repositories, and both of these are KDE applications, in fact part of the KDE Educatonal project. Kgeography uses simple color-coded maps of any selected country.
To install kegeography just type
sudo apt-get install kgeography
into a terminal window of any Ubuntu-based distribution.
The interface is very basic. You are first presented with a picker menu that lets you choose an area map.
![learn-geography-kgeo-pick](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-kgeo-pick.png)
On the map you can display the name and capital of any given territory by clicking on it,
![learn-geography-kgeo-brit](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-kgeo-brit.png)
and test your knowledge in different quizzes.
![learn-geography-kgeo-test](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-kgeo-test.png)
It is an interactive way to test your basic geographical knowledge and could be an excellent tool to help you prepare for exams.
### Marble ###
Marble is a somewhat more advanced software, offering a global view of the world without the need of 3D acceleration.
![learn-geography-marble-main](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-main.png)
To get Marble, type
sudo apt-get install marble
into a terminal window of any Ubuntu-based distribution.
Marble focuses on cartography, its main view being that of an atlas.
![learn-geography-marble-atlas](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-atlas.jpg)
You can have different projections, like Globe or Mercator displayed as defaults, with flat and other exotic views available from a drop-down menu. The surfaces include the basic Atlas view, a full-fledged offline map powered by OpenStreetMap,
![learn-geography-marble-map](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-map.jpg)
satellite view (by NASA),
![learn-geography-marble-satellite](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-satellite.jpg)
and political and even historical maps of the world, among others.
![learn-geography-marble-history](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-history.jpg)
Besides providing great offline maps with different skins and varying amount of data, Marble offers other types of information as well. You can switch on and off various offline info-boxes
![learn-geography-marble-offline](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-offline.png)
and online services from the menu.
![learn-geography-marble-online](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-online.png)
An interesting online service is Wikipedia integration. Clicking on the little Wiki logos will bring up a pop-up featuring detailed information about the selected places.
![learn-geography-marble-wiki](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-wiki.png)
The software also includes options for location tracking, route planning, and searching for locations, among other great and useful features. If you enjoy cartography, Marble offers hours of fun exploring and learning.
### Conclusion ###
Linux offers many great educational applications, and the subject of geography is no exception. With the above two programs you can learn a lot about our globe and test your knowledge in a fun and interactive manner.
--------------------------------------------------------------------------------
via: https://www.maketecheasier.com/linux-geography-apps/
作者:[Attila Orosz][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.maketecheasier.com/author/attilaorosz/
[1]:https://www.maketecheasier.com/series/learn-with-linux/
[2]:https://www.maketecheasier.com/learn-to-type-in-linux/
[3]:https://www.maketecheasier.com/linux-physics-simulation/
[4]:https://www.maketecheasier.com/linux-learning-music/
[5]:https://www.maketecheasier.com/linux-geography-apps/
[6]:https://www.maketecheasier.com/learn-linux-maths/

487
translated/tech/20150831 Linux workstation security checklist.md
View File

@ -1,487 +0,0 @@
Linux平台安全备忘录
================================================================================
这是一组Linux基金会自己系统管理员的推荐规范。所有Linux基金会的雇员都是远程工作我们使用这套指导方针确保系统管理员的系统通过核心安全需求降低我们平台成为攻击目标的风险。
即使你的系统管理员不用远程工作,很有可能的是,很多人的工作是在一个便携的笔记本上完成的,或者在业余时间或紧急时刻他们在工作平台中部署自己的家用系统。不论发生何种情况,你都能对应这个规范匹配到你的环境中。
这绝不是一个详细的“工作站加固”文档,可以说这是一个努力避免大多数明显安全错误导致太多不便的一组规范的底线。你可能阅读这个文档会认为它的方法太偏执,同时另一些人也许会认为这仅仅是一些肤浅的研究。安全就像在高速公路上开车 -- 任何比你开的慢的都是一个傻瓜,然而任何比你开的快的人都是疯子。这个指南仅仅是一些列核心安全规则,既不详细又不是替代经验,警惕,和常识。
每一节都分为两个部分:
- 核对适合你项目的需求
- 随意列出关心的项目,解释为什么这么决定
## 严重级别
在清单的每一个项目都包括严重级别,这些是我们希望能帮助指导你的决定:
- _(关键)_ 项目应该在考虑列表上被明确的重视。如果不采取措施,将会导致你的平台安全出现高风险。
- _(中等)_ 项目将改善你的安全形态,但不是很重要,尤其是如果他们太多的干涉你的工作流程。
- _(低等)_ 项目也许会改善整体安全性,但是在便利权衡下也许并不值得。
- _(可疑)_ 留作感觉会明显完善我们平台安全的项目,但是可能会需要大量的调整与操作系统交互的方式。
记住,这些只是参考。如果你觉得这些严重级别不能表达你的工程对安全承诺,正如你所见你应该调整他们为你合适的。
## 选择正确的硬件
我们禁止管理员使用一个特殊供应商或者一个特殊的型号,所以在选择工作系统时这部分是核心注意事项。
### 清单
- [ ] 系统支持安全启动 _(关键)_
- [ ] 系统没有火线,雷电或者扩展卡接口 _(中等)_
- [ ] 系统有TPM芯片 _(低)_
### 注意事项
#### 安全引导
尽管它是有争议的性质安全引导提供了对抗很多针对平台的攻击Rootkits, "Evil Maid,"等等),没有介绍太多额外的麻烦。它将不会停止真正专用的攻击者,加上有很大程度上,站点安全机构有办法应对它(可能通过设计),但是拥有安全引导总比什么都没有强。
作为选择,你也许部署了[Anti Evil Maid][1]提供更多健全的保护,对抗安全引导支持的攻击类型,但是它需要更多部署和维护的工作。
#### 系统没有火线,雷电或者扩展卡接口
火线是一个标准,故意的,允许任何连接设备完全直接内存访问你的系统([查看维基百科][2]。雷电接口和扩展卡同样有问题虽然一些后来部署的雷电接口试图限制内存访问的范围。如果你没有这些系统端口那是最好的但是它并不严重他们通常可以通过UEFI或内核本身禁用。
#### TPM芯片
可信平台模块TPM是主板上的一个与核心处理器单独分开的加密芯片他可以用来增加平台的安全性比如存储完整磁盘加密密钥不过通常不用在日常平台操作。最多这是个很好的存在除非你有特殊需要使用TPM增加你平台安全性。
## 预引导环境
这是你开始安装系统前的一系列推荐规范。
### 清单
- [ ] 使用UEFI引导模式不是传统BIOS_(关键)_
- [ ] 进入UEFI配置需要使用密码 _(关键)_
- [ ] 使用安全引导 _(关键)_
- [ ] 启动系统需要UEFI级别密码 _(低)_
### 注意事项
#### UEFI和安全引导
UEFI尽管有缺点还是提供很多传统BIOS没有的好功能比如安全引导。大多数现代的系统都默认使用UEFI模式。
UEFI配置模式密码要确保密码强度。注意很多厂商默默地限制了你使用密码长度所以对比长口令你也许应该选择高熵短密码更多地密码短语看下面
基于你选择的Linux分支你也许会也许不会跳过额外的圈子以导入你的发行版的安全引导键才允许你启动发行版。很多分支已经与微软合作大多数厂商给他们已发布的内核签订密钥这已经是大多数厂商公认的了因此为了避免问题你必须处理密钥导入。
作为一个额外的措施在允许某人得到引导分区然后尝试做一些不好的事之前让他们输入密码。为了防止肩窥这个密码应该跟你的UEFI管理密码不同。如果你关闭启动太多你也许该选择别把心思费在这上面当你已经进入LUKS密码这将为您节省一些额外的按键。
## 发行版选择注意事项
很有可能你会坚持一个广泛使用的发行版如FedoraUbuntuArchDebian或他们的一个类似分支。无论如何这是你选择使用发行版应该考虑的。
### 清单
- [ ] 拥有一个强健的MAC/RBAC系统SELinux/AppArmor/Grsecurity _(关键)_
- [ ] 公开的安全公告 _(关键)_
- [ ] 提供及时的安全补丁 _(关键)_
- [ ] 提供密码验证的包 _(关键)_
- [ ] 完全支持UEFI和安全引导 _(关键)_
- [ ] 拥有健壮的原生全磁盘加密支持 _(关键)_
### 注意事项
#### SELinuxAppArmor和GrSecurity/PaX
强制访问控制MAC或者基于角色的访问控制RBAC是一个POSIX系统遗留的基于用户或组的安全机制延伸。这些天大多数发行版已经绑定MAC/RBAC系统FedoraUbuntu或通过提供一种机制一个可选的安装后的步骤来添加它GentooArchDebian。很明显强烈建议您选择一个预装MAC/RBAC系统的分支但是如果你对一个分支情有独钟没有默认启用它装完系统后应计划配置安装它。
应该坚决避免使用不带任何MAC/RBAC机制的分支像传统的POSIX基于用户和组的安全在当今时代应该算是考虑不足。如果你想建立一个MAC/RBAC工作站通常会考虑AppArmor和PaX他们比SELinux更容易学习。此外在一个工作站上有很少或者没有额外的监听用户运行的应用造成的最高风险GrSecurity/PaX_可能_会比SELinux提供更多的安全效益。
#### 发行版安全公告
大多数广泛使用的分支都有一个机制发送安全公告到他们的用户,但是如果你对一些机密感兴趣,查看开发人员是否有记录机制提醒用户安全漏洞和补丁。缺乏这样的机制是一个重要的警告信号,这个分支不够成熟,不能被视为主要管理工作站。
#### 及时和可靠的安全更新
多数常用的发行版提供的定期安全更新,但为确保关键包更新及时提供是值得检查的。避免使用分支和"社区重建"的原因是,由于不得不等待上游分支先发布它,他们经常延迟安全更新。
你如果找到一个在安装包更新元数据或两者上不使用加密签名的发行版将会处于困境。这么说常用的发行版多年前就已经知道这个基本安全的意义Arch我正在看你所以这也是值得检查的。
#### 发行版支持UEFI和安全引导
检查发行版支持UEFI和安全引导。查明它是否需要导入额外的密钥或是否要求启动内核有一个已经被系统厂商信任的密钥签名例如跟微软达成合作。一些发行版不支持UEFI或安全启动但是提供了替代品来确保防篡改或防破坏引导环境[Qubes-OS][3]使用Anti Evil Maid前面提到的。如果一个发行版不支持安全引导和没有机制防止引导级别攻击还是看看别的吧。
#### 全磁盘加密
全磁盘加密是保护静止数据要求大多数发行版都支持。作为一个选择方案系统自加密硬件驱动也许用来通常通过主板TPM芯片实现和提供类似安全级别加更快的选项但是花费也更高。
## 发行版安装指南
所有发行版都是不同的,但是也有一些一般原则:
### 清单
- [ ] 使用健壮的密码全磁盘加密LUKS _(关键)_
- [ ] 确保交换分区也加密了 _(关键)_
- [ ] 确保引导程序设置了密码可以和LUKS一样 _(关键)_
- [ ] 设置健壮的root密码可以和LUKS一样 _(关键)_
- [ ] 使用无特权账户登录,管理员组的一部分 _(关键)_
- [ ] 设置强壮的用户登录密码不同于root密码 _(关键)_
### 注意事项
#### 全磁盘加密
除非你正在使用自加密硬件设备配置你的安装程序给磁盘完整加密用来存储你的数据与你的系统文件很重要。通过自动安装的cryptfs循环文件加密用户目录还不够简单我正在看你老版Ubuntu这并没有给系统二进制文件或交换分区提供保护它可能包含大量的敏感数据。推荐的加密策略是加密LVM设备所以在启动过程中只需要一个密码。
`/boot`分区将一直保持非加密当引导程序需要引导内核前调用LUKS/dm-crypt。内核映像本身应该用安全引导加密签名检查防止被篡改。
换句话说,`/boot`应该是你系统上唯一没有加密的分区。
#### 选择好密码
现代的Linux系统没有限制密码口令长度所以唯一的限制是你的偏执和倔强。如果你要启动你的系统你将大概至少要输入两个不同的密码一个解锁LUKS另一个登陆所以长密码将会使你老的很快。最好从丰富或混合的词汇中选择2-3个单词长度容易输入的密码。
优秀密码例子(是的,你可以使用空格):
- nature abhors roombas
- 12 in-flight Jebediahs
- perdon, tengo flatulence
如果你更喜欢输入口令句你也可以坚持使用无词汇密码但最少要10-12个字符长度。
除非你有人身安全的担忧,写下你的密码,并保存在一个远离你办公桌的安全的地方才合适。
#### Root用户密码和管理组
我们建议你的root密码和你的LUKS加密使用同样的密码除非你共享你的笔记本给可信的人他应该能解锁设备但是不应该能成为root用户。如果你是笔记本电脑的唯一用户,那么你的root密码与你的LUKS密码不同是没有意义的安全优势。通常你可以使用同样的密码在你的UEFI管理磁盘加密和root登陆 -- 知道这些任意一个都会让攻击者完全控制您的系统,在单用户工作站上使这些密码不同,没有任何安全益处。
你应该有一个不同的,但同样强健的常规用户帐户密码用来每天工作。这个用户应该是管理组用户(例如`wheel`或者类似,根据分支),允许你执行`sudo`来提升权限。
换句话说,如果在你的工作站只有你一个用户,你应该有两个独特的,强健的,同样的强壮的密码需要记住:
**管理级别**,用在以下区域:
- UEFI管理
- 引导程序GRUB
- 磁盘加密LUKS
- 工作站管理root用户
**User-level**, used for the following:
**用户级别**,用在以下:
- 用户登陆和sudo
- 密码管理器的主密码
很明显,如果有一个令人信服的理由他们所有可以不同。
## 安装后的加强
安装后的安全性加强在很大程度上取决于你选择的分支,所以在一个通用的文档中提供详细说明是徒劳的,例如这一个。然而,这里有一些你应该采取的步骤:
### 清单
- [ ] 在全体范围内禁用火线和雷电模块 _(关键)_
- [ ] 检查你的防火墙,确保过滤所有传入端口 _(关键)_
- [ ] 确保root邮件转发到一个你可以查看到的账户 _(关键)_
- [ ] 检查以确保sshd服务默认情况下是禁用的 _(中等)_
- [ ] 建立一个系统自动更新任务,或更新提醒 _(中等)_
- [ ] 配置屏幕保护程序在一段时间的不活动后自动锁定 _(中等)_
- [ ] 建立日志监控 _(中等)_
- [ ] 安装使用rkhunter _(低等)_
- [ ] 安装一个入侵检测系统 _(偏执)_
### 注意事项
#### 黑名单模块
将火线和雷电模块列入黑名单,增加一行到`/etc/modprobe.d/blacklist-dma.conf`文件:
blacklist firewire-core
blacklist thunderbolt
重启后的模块将被列入黑名单。这样做是无害的,即使你没有这些端口(但也不做任何事)。
#### Root邮件
默认的root邮件只是存储在系统基本上没人读过。确保你设置了你的`/etc/aliases`来转发root邮件到你确实能读取的邮箱否则你也许错过了重要的系统通知和报告
# Person who should get root's mail
root: bob@example.com
编辑后这些后运行`newaliases`,然后测试它确保已投递,像一些邮件供应商将拒绝从没有或者不可达的域名的邮件。如果是这个原因,你需要配置邮件转发直到确实可用。
#### 防火墙sshd和监听进程
默认的防火墙设置将取决于您的发行版,但是大多数都允许`sshd`端口连入。除非你有一个令人信服的合理理由允许连入ssh你应该过滤出来,禁用sshd守护进程。
systemctl disable sshd.service
systemctl stop sshd.service
如果你需要使用它,你也可以临时启动它。
通常你的系统不应该有任何侦听端口除了响应ping。这将有助于你对抗网络级别的零日漏洞利用。
#### 自动更新或通知
建议打开自动更新,除非你有一个非常好的理由不这么做,如担心自动更新将使您的系统无法使用(这是发生在过去,所以这种恐惧并非杞人忧天)。至少,你应该启用自动通知可用的更新。大多数发行版已经有这个服务自动运行,所以你不需要做任何事。查阅你的发行版文档查看更多。
你应该尽快应用所有明显的勘误即使这些不是特别贴上“安全更新”或有关联的CVE代码。所有错误都潜在的安全漏洞和新的错误比起坚持旧的已知的错误未知错误通常是更安全的策略。
#### 监控日志
你应该对你的系统上发生了什么很感兴趣。出于这个原因,你应该安装`logwatch`然后配置它每夜发送在你的系统上发生的任何事情的活动报告。这不会预防一个专业的攻击者,但是一个好安全网功能。
注意,许多systemd发行版将不再自动安装一个“logwatch”需要的syslog服务由于systemd依靠自己的分类所以你需要安装和启用“rsyslog”来确保使用logwatch之前你的/var/log不是空。
#### Rkhunter和IDS
安装`rkhunter`和一个入侵检测系统IDS像`aide`或者`tripwire`将不会有用,除非你确实理解他们如何工作采取必要的步骤来设置正确(例如,保证数据库在额外的媒介,从可信的环境运行检测,记住执行系统更新和配置更改后要刷新数据库散列,等等)。如果你不愿在你的工作站执行这些步骤调整你如何工作,这些工具将带来麻烦没有任何实在的安全益处。
我们强烈建议你安装`rkhunter`并每晚运行它。它相当易于学习和使用,虽然它不会阻止一个复杂的攻击者,它也能帮助你捕获你自己的错误。
## 个人工作站备份
工作站备份往往被忽视,或无计划的做,常常是不安全的方式。
### 清单
- [ ] 设置加密备份工作站到外部存储 _(关键)_
- [ ] 使用零认知云备份的备份工具 _(中等)_
### 注意事项
#### 全加密备份存到外部存储
把全部备份放到一个移动磁盘中比较方便,不用担心带宽和流速(在这个时代,大多数供应商仍然提供显著的不对称的上传/下载速度。不用说这个移动硬盘本身需要加密又一次通过LIKS或者你应该使用一个备份工具建立加密备份例如`duplicity`或者它的GUI版本`deja-dup`。我建议使用后者并使用随机生成的密码,保存到你的密码管理器中。如果你带上笔记本去旅行,把这个磁盘留在家,以防你的笔记本丢失或被窃时可以找回备份。
除了你的家目录外,你还应该备份`/etc`目录和处于鉴定目的的`/var/log`目录。
首先是,避免拷贝你的家目录到任何非加密存储上,甚至是快速的在两个系统上移动文件,一旦完成你肯定会忘了清除它,暴露个人隐私或者安全信息到监听者手中 -- 尤其是把这个存储跟你的笔记本防盗同一个包里。
#### 零认知站外备份选择性
站外备份也是相当重要的是否可以做到要么需要你的老板提供空间要么找一家云服务商。你可以建一个单独的duplicity/deja-dup配置只包括重要的文件以免传输大量你不想备份的数据网络缓存音乐下载等等
作为选择,你可以使用零认知备份工具,例如[SpiderOak][5]它提供一个卓越的Linux GUI工具还有实用的特性例如在多个系统或平台间同步内容。
## 最佳实践
下面是我们认为你应该采用的最佳实践列表。它当然不是非常详细的,而是试图提供实用的建议,一个可行的整体安全性和可用性之间的平衡
### 浏览
毫无疑问在你的系统上web浏览器将是最大、最容易暴露的攻击层面的软件。它是专门下载和执行不可信恶意代码的一个工具。它试图采用沙箱和代码卫生处理等多种机制保护你免受这种危险但是在之前多个场合他们都被击败了。你应该学到浏览网站是最不安全的活动在你参与的任何一天。
有几种方法可以减少浏览器的影响,但真正有效的方法需要你操作您的工作站将发生显著的变化。
#### 1: 实用两个不同的浏览器
这很容易做到,但是只有很少的安全效益。并不是所有浏览器都妥协给攻击者完全自由访问您的系统 -- 有时他们只能允许一个读取本地浏览器存储,窃取其他标签的活动会话,捕获输入浏览器,例如,实用两个不同的浏览器,一个用在工作/高安全站点,另一个用在其他,有助于防止攻击者请求整个饼干罐的小妥协。主要的不便是两个不同的浏览器消耗内存大量。
我们建议:
##### 火狐用来工作和高安全站点
使用火狐登陆工作有关的站点应该额外关心的是确保数据如cookies会话登陆信息打键次数等等明显不应该落入攻击者手中。除了少数的几个网站你不应该用这个浏览器访问其他网站。
你应该安装下面的火狐扩展:
- [ ] NoScript _(关键)_
- NoScript阻止活动内容加载除非在用户白名单里的域名。跟你默认浏览器比它使用起来很麻烦可是提供了真正好的安全效益所以我们建议只在开启了它的浏览器上访问与工作相关的网站。
- [ ] Privacy Badger _(关键)_
- EFF的Privacy Badger将在加载时预防大多数外部追踪器和广告平台在这些追踪站点影响你的浏览器时将有助于避免妥协追踪着和广告站点通常会成为攻击者的目标因为他们会迅速影响世界各地成千上万的系统
- [ ] HTTPS Everywhere _(关键)_
- 这个EFF开发的扩展将确保你访问的大多数站点都在安全连接上甚至你点击的连接使用的是http://(有效的避免大多数的攻击,例如[SSL-strip][7])。
- [ ] Certificate Patrol _(中等)_
- 如果你正在访问的站点最近改变了他们的TLS证书 -- 特别是如果不是接近失效期或者现在使用不同的证书颁发机构,这个工具将会警告你。它有助于警告你是否有人正尝试中间人攻击你的连接,但是产生很多无害的假的类似情况。
你应该让火狐成为你的默认打开连接的浏览器因为NoScript将在加载或者执行时阻止大多数活动内容。
##### 其他一切都用Chrome/Chromium
Chromium开发者在增加很多很好的安全特性方面比火狐强至少[在Linux上][6])例如seccomp沙箱内核用户名空间等等这担当一个你访问网站和你其他系统间额外的隔离层。Chromium是流开源项目Chrome是Google所有的基于它构建的包使用它输入时要非常谨慎任何你不想让谷歌知道的事情都不要使用它
有人推荐你在Chrome上也安装**Privacy Badger**和**HTTPS Everywhere**扩展,然后给他一个不同的主题,从火狐指出这是你浏览器“不信任的站点”。
#### 2: 使用两个不同浏览器,一个在专用的虚拟机里
这有点像上面建议的做法除了您将添加一个额外的步骤通过快速访问协议运行专用虚拟机内部Chrome允许你共享剪贴板和转发声音事件Spice或RDP。这将在不可信的浏览器和你其他的工作环境之间添加一个优秀的隔离层确保攻击者完全危害你的浏览器将不得不另外打破VM隔离层以达到系统的其余部分。
这是一个出奇可行的结构,但是需要大量的RAM和高速处理器可以处理增加的负载。这还需要一个重要的奉献的管理员需要相应地调整自己的工作实践。
#### 3: 通过虚拟化完全隔离你的工作和娱乐环境
看[Qubes-OS项目][3]它致力于通过划分你的应用到完全独立分开的VM中提供高安全工作环境。
### 密码管理器
#### 清单
- [ ] 使用密码管理器 _(关键)_
- [ ] 不相关的站点使用不同的密码 _(关键)_
- [ ] 使用支持团队共享的密码管理器 _(中等)_
- [ ] 给非网站用户使用一个单独的密码管理器 _(偏执)_
#### 注意事项
使用好的,唯一的密码对你的团队成员来说应该是非常关键的需求。证书盗取一直在发生 — 要么通过中间计算机,盗取数据库备份,远程站点利用,要么任何其他的打算。证书从不应该通过站点被重用,尤其是关键的应用。
##### 浏览器中的密码管理器
每个浏览器有一个比较安全的保存密码机制,通过供应商的机制可以同步到云存储同事用户提供密码保证数据加密。无论如何,这个机制有严重的劣势:
1. 不能跨浏览器工作
2. 不提供任何与团队成员共享凭证的方法
也有一些良好的支持,免费或便宜的密码管理器,很好的融合到多个浏览器,跨平台工作,提供小组共享(通常是支付服务)。可以很容易地通过搜索引擎找到解决方案。
##### 独立的密码管理器
任何密码管理器都有一个主要的缺点,与浏览器结合,事实上是应用的一部分,这样最有可能被入侵者攻击。如果这让你不舒服(应该这样),你应该选择两个不同的密码管理器 -- 一个集成在浏览器中用来保存网站密码一个作为独立运行的应用。后者可用于存储高风险凭证如root密码数据库密码其他shell账户凭证等。
有这样的工具可以特别有效的在团腿成员间共享超级用户的凭据服务器根密码ILO密码数据库管理密码引导装载程序密码等等
这几个工具可以帮助你:
- [KeePassX][8]2版中改善了团队共享
- [Pass][9]它使用了文本文件和PGP并与git结合
- [Django-Pstore][10]他是用GPG在管理员之间共享凭据
- [Hiera-Eyaml][11]如果你已经在你的平台中使用了Puppet可以便捷的追踪你的服务器/服务凭证像你的Hiera加密数据的一部分。
### 加固SSH和PGP私钥
个人加密密钥包括SSH和PGP私钥都是你工作站中最重要的物品 -- 攻击将在获取到感兴趣的东西,这将允许他们进一步攻击你的平台或冒充你为其他管理员。你应该采取额外的步骤,确保你的私钥免遭盗窃。
#### 清单
- [ ] 强壮的密码用来保护私钥 _(关键)_
- [ ] PGP的主密码保存在移动存储中 _(中等)_
- [ ] 身份验证、签名和加密注册表子项存储在智能卡设备 _(中等)_
- [ ] SSH配置为使用PGP认证密钥作为ssh私钥 _(中等)_
#### 注意事项
防止私钥被偷的最好方式是使用一个智能卡存储你的加密私钥不要拷贝到工作平台上。有几个厂商提供支持OpenPGP的设备
- [Kernel Concepts][12]在这里可以采购支持OpenPGP的智能卡和USB读取器你应该需要一个。
- [Yubikey NEO][13]这里提供OpenPGP功能的智能卡还提供很多很酷的特性U2F, PIV, HOTP等等
确保PGP主密码没有存储在工作平台也很重要只有子密码在使用。主密钥只有在登陆其他的密钥和创建子密钥时使用 — 不经常发生这种操作。你可以照着[Debian的子密钥][14]向导来学习如何移动你的主密钥到移动存储和创建子密钥。
你应该配置你的gnupg代理作为ssh代理然后使用基于智能卡PGP认证密钥作为你的ssh私钥。我们公布了一个细节向导如何使用智能卡读取器或Yubikey NEO。
如果你不想那么麻烦最少要确保你的PGP私钥和你的SSH私钥有个强健的密码这将让攻击者很难盗取使用它们。
### 工作站上的SELinux
如果你使用的发行版绑定了SELinux如Fedora这有些如何使用它的建议让你的工作站达到最大限度的安全。
#### 清单
- [ ] 确保你的工作站强制使用SELinux _(关键)_
- [ ] 不要盲目的执行`audit2allow -M`,经常检查 _(关键)_
- [ ] 从不 `setenforce 0` _(中等)_
- [ ] 切换你的用户到SELinux用户`staff_u` _(中等)_
#### 注意事项
SELinux是一个强制访问控制MAC为POSIX许可核心功能扩展。它是成熟强健自从它推出以来已经有很长的路了。不管怎样许多系统管理员现在重复过时的口头禅“关掉它就行。”
话虽如此在工作站上SELinux还是限制了安全效益像很多应用都要作为一个用户自由的运行。开启它有益于给网络提供足够的保护有可能有助于防止攻击者通过脆弱的后台服务提升到root级别的权限用户。
我们的建议是开启它并强制使用。
##### 从不`setenforce 0`
使用`setenforce 0`短时间内把SELinux设置为许可模式但是你应该避免这样做。其实你是想查找一个特定应用或者程序的问题实际上这样是把全部系统的SELinux关闭了。
你应该使用`semanage permissive -a [somedomain_t]`替换`setenforce 0`,只把这个程序放入许可模式。首先运行`ausearch`查看那个程序发生问题:
ausearch -ts recent -m avc
然后看下`scontext=`SELinux的上下文像这样
scontext=staff_u:staff_r:gpg_pinentry_t:s0-s0:c0.c1023
^^^^^^^^^^^^^^
这告诉你程序`gpg_pinentry_t`被拒绝了,所以你想查看应用的故障,应该增加它到许可模式:
semange permissive -a gpg_pinentry_t
这将允许你使用应用然后收集AVC的其他部分你可以连同`audit2allow`写一个本地策略。一旦完成你就不会看到新的AVC的拒绝你可以从许可中删除程序运行
semanage permissive -d gpg_pinentry_t
##### 用SELinux的用户staff_r使用你的工作站
SELinux附带的本地角色实现基于角色的用户帐户禁止或授予某些特权。作为一个管理员你应该使用`staff_r`角色,这可以限制访问很多配置和其他安全敏感文件,除非你先执行`sudo`。
默认,用户作为`unconfined_r`被创建你可以运行大多数应用没有任何或只有一点SELinux约束。转换你的用户到`staff_r`角色,运行下面的命令:
usermod -Z staff_u [username]
你应该退出然后登陆激活新角色,届时如果你运行`id -Z`,你将会看到:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
在执行`sudo`时你应该记住增加一个额外的标准告诉SELinux转换到"sysadmin"角色。你想要的命令是:
sudo -i -r sysadm_r
届时`id -Z`将会显示:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
**警告**:在进行这个切换前你应该舒服的使用`ausearch`和`audit2allow`,当你作为`staff_r`角色运行时你的应用有可能不再工作了。写到这里时,以下流行的应用已知在`staff_r`下没有做策略调整就不会工作:
- Chrome/Chromium
- Skype
- VirtualBox
切换回`unconfined_r`,运行下面的命令:
usermod -Z unconfined_u [username]
然后注销再重新回到舒服的区域。
## 延伸阅读
IT安全的世界是一个没有底的兔子洞。如果你想深入或者找到你的具体发行版更多的安全特性请查看下面这些链接
- [Fedora Security Guide](https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/index.html)
- [CESG Ubuntu Security Guide](https://www.gov.uk/government/publications/end-user-devices-security-guidance-ubuntu-1404-lts)
- [Debian Security Manual](https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html)
- [Arch Linux Security Wiki](https://wiki.archlinux.org/index.php/Security)
- [Mac OSX Security](https://www.apple.com/support/security/guides/)
## 许可
这项工作在[创作共用授权4.0国际许可证][0]许可下。
--------------------------------------------------------------------------------
via: https://github.com/lfit/itpol/blob/master/linux-workstation-security.md#linux-workstation-security-list
作者:[mricon][a]
译者:[wyangsun](https://github.com/wyangsun)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://github.com/mricon
[0]: http://creativecommons.org/licenses/by-sa/4.0/
[1]: https://github.com/QubesOS/qubes-antievilmaid
[2]: https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
[3]: https://qubes-os.org/
[4]: https://xkcd.com/936/
[5]: https://spideroak.com/
[6]: https://code.google.com/p/chromium/wiki/LinuxSandboxing
[7]: http://www.thoughtcrime.org/software/sslstrip/
[8]: https://keepassx.org/
[9]: http://www.passwordstore.org/
[10]: https://pypi.python.org/pypi/django-pstore
[11]: https://github.com/TomPoulton/hiera-eyaml
[12]: http://shop.kernelconcepts.de/
[13]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
[14]: https://wiki.debian.org/Subkeys
[15]: https://github.com/lfit/ssh-gpg-smartcard-config

80
translated/tech/20151109 How to Monitor the Progress of a Linux Command Line Operation Using PV Command.md
View File

@ -1,80 +0,0 @@
如何监控linux 命令行的命令执行进度
================================================================================
![](https://www.maketecheasier.com/assets/uploads/2015/11/pv-featured-1.jpg)
如果你是一个linux 系统管理员,那么毫无疑问你必须花费大量的工作时间在命令行上:安装和卸载软件,监视系统状态,复制、移动、删除文件,查错,等等。很多时候都是你输入一个命令,然后等待很长时间直到执行完成。也有的时候你执行的命令挂起了,而你只能猜测命令执行的实际情况。
通常linux命令不提供和进度相关的信息而这些信息特别重要尤其当你只有有限的时间时。然而这并不意味着你是无助的-现在有一个命令pv他会显示当前在命令行执行的命令的进度信息。在本文我们会讨论它并用几个简单的例子说明种特性。
### PV 命令 ###
[PV][1] 由Andrew Wood 开发是Pipe Viewer 的简称,意思是通过管道显示数据处理进度的信息。这些信息包括已经耗费的时间,完成的百分比(通过进度条显示),当前的速度,要传输的全部数据,以及估计剩余的时间。
>"要使用PV需要配合合适的选项把它放置在两个进程之间的管道。命令的标准输入将会通过标准输出传进来的而进度会被输出到标准错误输出。”
上面解释了命令的主页(?)
### 下载和安装 ###
Debian 系的操作系统如Ubuntu可以简单的使用下面的命令安装PV
sudo apt-get install pv
如果你使用了其他发行版本你可以使用各自的包管理软件在你的系统上安装PV。一旦PV 安装好了你就可以在各种场合使用它详见下文。需要注意的是下面所有例子都可以正常的鱼pv 1.2.0 工作。
### 特性和用法 ###
我们在linux 上使用命令行的用户的大多数使用场景都会用到的命令是从一个USB 驱动器拷贝电影文件到你的电脑。如果你使用cp 来完成上面的任务,你会什么情况都不清楚知道整个复制过程结束或者出错。
然而pv 命令在这种情景下很有帮助。比如:
pv /media/himanshu/1AC2-A8E3/fNf.mkv > ./Desktop/fnf.mkv
输出如下:
![pv-copy](https://www.maketecheasier.com/assets/uploads/2015/10/pv-copy.png)
所以,如你所见,这个命令显示了很多和操作有关的有用信息,包括已经传输了的数据量,花费的时间,传输速率,进度条,进度的百分比,已经剩余的时间。
`pv` 命令提供了多种显示选项开关。比如,你可以使用`-p` 来显示百分比,`-t` 来显示时间,`-r` 表示传输速率,`-e` 代表eta译注估计剩余的时间。好事是你不必记住某一个选项因为默认这几个选项都是使能的。但是如果你只要其中某一个信息那么可以通过控制这几个选项来完成任务。
整理还有一个`-n` 选项来允许pv 命令显示整数百分比,在标准错误输出上每行显示一个数字,用来替代通常的视觉进度条。下面是一个例子:
pv -n /media/himanshu/1AC2-A8E3/fNf.mkv > ./Desktop/fnf.mkv
![pv-numeric](https://www.maketecheasier.com/assets/uploads/2015/10/pv-numeric.png)
这个特殊的选项非常合适某些情境下的需求,如你想把用管道把输出传给[dialog][2] 命令。
接下来还有一个命令行选项,`-L` 可以让你修改pv 命令的传输速率。举个例子,使用-L 选项来限制传输速率为2MB/s。
pv -L 2m /media/himanshu/1AC2-A8E3/fNf.mkv > ./Desktop/fnf.mkv
![pv-ratelimit](https://www.maketecheasier.com/assets/uploads/2015/10/pv-ratelimit.png)
如上图所见,数据传输速度按照我们的要求被限制了。
另一个pv 可以帮上忙的情景是压缩文件。这里有一个例子可以向你解释如何与压缩软件Gzip 一起工作。
pv /media/himanshu/1AC2-A8E3/fnf.mkv | gzip > ./Desktop/fnf.log.gz
![pv-gzip](https://www.maketecheasier.com/assets/uploads/2015/10/pv-gzip.png)
### 结论 ###
如上所述pv 是一个非常有用的小工具它可以在命令没有按照预期执行的情况下帮你节省你宝贵的时间。而且这些现实的信息还可以用在shell 脚本里。我强烈的推荐你使用这个命令,他值得你一试。
--------------------------------------------------------------------------------
via: https://www.maketecheasier.com/monitor-progress-linux-command-line-operation/
作者:[Himanshu Arora][a]
译者:[ezio](https://github.com/oska874)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.maketecheasier.com/author/himanshu/
[1]:http://linux.die.net/man/1/pv
[2]:http://linux.die.net/man/1/dialog

197
translated/tech/20151204 Linux or Unix--jobs Command Examples.md Normal file
View File

@ -0,0 +1,197 @@
Linux / Unix: jobs 命令示例
================================================================================
我是个新的 Linux 或 Unix 用户。如何在 Linux 或类 Unix 系统中使用 BASH/KSH/TCSH 或者基于 POSIX 的 shell 来查看当前正在进行的作业?在 Unix/Linux 上怎样显示当前作业的状态?
作业控制的是什么,停止/暂停进程(命令)的执行并按你的要求继续/恢复它们的执行。这是根据你的操作系统和 shell 如bash/ksh 或 POSIX shell 来执行的。
shell 会将当前所执行的作业保存在一个表中,可以用 jobs 命令来显示。
### 目的 ###
> 在当前 shell 会话中显示作业的状态。
### 语法 ###
其基本语法如下:
jobs
jobs jobID
或者
jobs [options] jobID
### 启动一些作业来进行示范 ###
在开始使用 jobs 命令前,你需要在系统上先启动多个作业。执行以下命令来启动作业:
## 启动 xeyes, calculator, 和 gedit 文本编辑器 ###
xeyes &
gnome-calculator &
gedit fetch-stock-prices.py &
最后,在前台运行 ping 命令:
ping www.cyberciti.biz
**Ctrl-Z** 键来暂停 ping 命令的作业。
### jobs 命令示例 ###
要在当前 shell 显示作业的状态,请输入:
$ jobs
输出示例:
[1] 7895 Running gpass &
[2] 7906 Running gnome-calculator &
[3]- 7910 Running gedit fetch-stock-prices.py &
[4]+ 7946 Stopped ping cyberciti.biz
要显示进程 ID 或作业名称请使用 “P” 选项,输入:
$ jobs -p %p
或者
$ jobs %p
输出示例:
[4]- Stopped ping cyberciti.biz
字符 后加一个作业。在这个例子中,你需要使用作业的名称来暂停它,如 ping。
### 如何显示进程 ID 不包含其他正常的信息? ###
通过 jobs 命令的 -l小写的 L选项列出每个作业的详细信息运行
$ jobs -l
示例输出:
![Fig.01: Displaying the status of jobs in the shell](http://s0.cyberciti.org/uploads/faq/2013/02/jobs-command-output.jpg)
Fig.01: 在 shell 中显示 jobs 的状态
### 如何只列出最近一次状态改变的进程? ###
首先,启动一个新的工作如下所示:
$ sleep 100 &
现在,只显示作业最近一次的状态(停止或退出),输入:
$ jobs -n
示例输出:
[5]- Running sleep 100 &
### 仅显示进程 IDPID ###
通过 jobs 命令的 -p 选项仅显示 PID
$ jobs -p
示例输出:
7895
7906
7910
7946
7949
### 怎样只显示正在运行的作业呢? ###
通过 jobs 命令的 -r 选项只显示正在运行的作业,输入:
$ jobs -r
示例输出:
[1] Running gpass &
[2] Running gnome-calculator &
[3]- Running gedit fetch-stock-prices.py &
### 怎样只显示已经停止工作的作业? ###
通过 jobs 命令的 -s 选项只显示停止工作的作业,输入:
$ jobs -s
示例输出:
[4]+ Stopped ping cyberciti.biz
要继续执行 ping cyberciti.biz 作业,输入以下 bg 命令:
$ bg %4
### jobs 命令选项 ###
摘自 [bash(1)][1] 命令 man 手册页:
注:表格
<table border="1">
<tbody>
<tr>
<td>Option</td>
<td>Description</td>
</tr>
<tr>
<td><kbd><strong>-l</strong></kbd></td>
<td>Show process id's in addition to the normal information.</td>
</tr>
<tr>
<td><kbd><strong>-p</strong></kbd></td>
<td>Show process id's only.</td>
</tr>
<tr>
<td><kbd><strong>-n</strong></kbd></td>
<td>Show only processes that have changed status since the last notification are printed.</td>
</tr>
<tr>
<td><kbd><strong>-r</strong></kbd></td>
<td>Restrict output to running jobs only.</td>
</tr>
<tr>
<td><kbd><strong>-s</strong></kbd></td>
<td>Restrict output to stopped jobs only.</td>
</tr>
<tr>
<td><kbd><strong>-x</strong></kbd></td>
<td>COMMAND is run after all job specifications that appear in ARGS have been replaced with the process ID of that job's process group leader./td&gt;</td>
</tr>
</tbody>
</table>
### 关于 /usr/bin/jobs 和 shell 内建的说明 ###
输入以下 type 命令找出是否 jobs 命令是 shell 的内建命令或是外部命令:
$ type -a jobs
输出示例:
jobs is a shell builtin
jobs is /usr/bin/jobs
在几乎所有情况下jobs 命令都是作为 BASH/KSH/POSIX shell 内建命令被实现的。/usr/bin/jobs 命令不能被用在当前 shell 中。/usr/bin/jobs 命令工作在不同的环境中不共享父 bash/ksh 的 shells 来执行作业。
--------------------------------------------------------------------------------
via:
作者Vivek Gite
译者:[strugglingyouth](https://github.com/strugglingyouth)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[1]:http://www.manpager.com/linux/man1/bash.1.html

464
translated/tech/20151210 Getting started with Docker by Dockerizing this Blog.md.md Normal file
View File

@ -0,0 +1,464 @@
通过Dockerize这篇博客来开启我们的Docker之旅
===
>这篇文章将包含Docker的基本概念以及如何通过创建一个定制的Dockerfile来Dockerize一个应用
>作者Benjamin Cane2015-12-01 10:00:00
Docker是2年前从某个idea中孕育而生的有趣技术世界各地的公司组织都积极使用它来部署应用。在今天的文章中我将教你如何通过"Dockerize"一个现有的应用来开始我们的Docker运用。问题中的应用指的就是这篇博客
## 什么是Docker
当我们开始学习Docker基本概念时让我们先去搞清楚什么是Docker以及它为什么这么流行。Docker是一个操作系统容器管理工具它通过将应用打包在操作系统容器中来方便我们管理和部署应用。
### 容器 vs. 虚拟机
容器虽和虚拟机并不完全相似,但它也是一种提供**操作系统虚拟化**的方式。但是,它和标准的虚拟机还是有不同之处的。
标准虚拟机一般会包括一个完整的操作系统,操作系统包,最后还有一至两个应用。这都得益于为虚拟机提供硬件虚拟化的管理程序。这样一来,一个单一的服务器就可以将许多独立的操作系统作为虚拟客户机运行了。
容器和虚拟机很相似,它们都支持在单一的服务器上运行多个操作环境,只是,在容器中,这些环境并不是一个个完整的操作系统。容器一般只包含必要的操作系统包和一些应用。它们通常不会包含一个完整的操作系统或者硬件虚拟化程序。这也意味着容器比传统的虚拟机开销更少。
容器和虚拟机常被误认为是两种抵触的技术。虚拟机采用同一个物理服务器,来提供全功能的操作环境,该环境会和其余虚拟机一起共享这些物理资源。容器一般用来隔离运行中的应用进程,运行进程将在单独的主机中运行,以保证隔离后的进程之间不能相互影响。事实上,容器和**BSD Jails**以及`chroot`进程的相似度,超过了和完整虚拟机的相似度。
### Docker在容器的上层提供了什么
Docker不是一个容器运行环境事实上只是一个容器技术并不包含那些帮助Docker支持[Solaris Zones](https://blog.docker.com/2015/08/docker-oracle-solaris-zones/)和[BSD Jails](https://wiki.freebsd.org/Docker)的技术。Docker提供管理打包和部署容器的方式。虽然一定程度上虚拟机多多少少拥有这些类似的功能但虚拟机并没有完整拥有绝大多数的容器功能即使拥有这些功能用起来都并没有Docker来的方便。
现在我们应该知道Docker是什么了然后我们将从安装Docker并部署一个公共的预构建好的容器开始学习Docker是如何工作的。
## 从安装开始
默认情况下Docker并不会自动被安装在您的计算机中所以第一步就是安装Docker包我们的教学机器系统是Ubuntu 14.0.4所以我们将使用Apt包管理器来执行安装操作。
```
# apt-get install docker.io
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
aufs-tools cgroup-lite git git-man liberror-perl
Suggested packages:
btrfs-tools debootstrap lxc rinse git-daemon-run git-daemon-sysvinit git-doc
git-el git-email git-gui gitk gitweb git-arch git-bzr git-cvs git-mediawiki
git-svn
The following NEW packages will be installed:
aufs-tools cgroup-lite docker.io git git-man liberror-perl
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,553 kB of archives.
After this operation, 46.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
```
为了检查当前是否有容器运行,我们可以执行`docker`命令,加上`ps`选项
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
```
`docker`命令中的`ps`功能类似于Linux的`ps`命令。它将显示可找到的Docker容器以及各自的状态。由于我们并没有开启任何Docker容器所以命令没有显示任何正在运行的容器。
## 部署一个预构建好的nginx Docker容器
我比较喜欢的Docker特性之一就是Docker部署预先构建好的容器的方式就像`yum`和`apt-get`部署包一样。为了更好地解释我们来部署一个运行着nginx web服务器的预构建容器。我们可以继续使用`docker`命令,这次选择`run`选项。
```
# docker run -d nginx
Unable to find image 'nginx' locally
Pulling repository nginx
5c82215b03d1: Download complete
e2a4fb18da48: Download complete
58016a5acc80: Download complete
657abfa43d82: Download complete
dcb2fe003d16: Download complete
c79a417d7c6f: Download complete
abb90243122c: Download complete
d6137c9e2964: Download complete
85e566ddc7ef: Download complete
69f100eb42b5: Download complete
cd720b803060: Download complete
7cc81e9a118a: Download complete
```
`docker`命令的`run`选项用来通知Docker去寻找一个指定的Docker镜像然后开启运行着该镜像的容器。默认情况下Docker容器在前台运行这意味着当你运行`docker run`命令的时候你的shell会被绑定到容器的控制台以及运行在容器中的进程。为了能在后台运行该Docker容器我们可以使用`-d` (**detach**)标志。
再次运行`docker ps`命令可以看到nginx容器正在运行。
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f6d31ab01fc9 nginx:latest nginx -g 'daemon off 4 seconds ago Up 3 seconds 443/tcp, 80/tcp desperate_lalande
```
从上面的打印信息中,我们可以看到正在运行的名为`desperate_lalande`的容器,它是由`nginx:latest image`译者注nginx最新版本的镜像构建而来得。
### Docker镜像
镜像是Docker的核心特征之一类似于虚拟机镜像。和虚拟机镜像一样Docker镜像是一个被保存并打包的容器。当然Docker不只是创建镜像它还可以通过Docker仓库发布这些镜像Docker仓库和包仓库的概念差不多它让Docker能够模仿`yum`部署包的方式来部署镜像。为了更好地理解这是怎么工作的,我们来回顾`docker run`执行后的输出。
```
# docker run -d nginx
Unable to find image 'nginx' locally
```
我们可以看到第一条信息是Docker不能在本地找到名叫nginx的镜像。这是因为当我们执行`docker run`命令时告诉Docker运行一个基于nginx镜像的容器。既然Docker要启动一个基于特定镜像的容器那么Docker首先需要知道那个指定镜像。在检查远程仓库之前Docker首先检查本地是否存在指定名称的本地镜像。
因为系统是崭新的不存在nginx镜像Docker将选择从Docker仓库下载之。
```
Pulling repository nginx
5c82215b03d1: Download complete
e2a4fb18da48: Download complete
58016a5acc80: Download complete
657abfa43d82: Download complete
dcb2fe003d16: Download complete
c79a417d7c6f: Download complete
abb90243122c: Download complete
d6137c9e2964: Download complete
85e566ddc7ef: Download complete
69f100eb42b5: Download complete
cd720b803060: Download complete
7cc81e9a118a: Download complete
```
这就是第二部分打印信息显示给我们的内容。默认Docker会使用[Docker Hub](https://hub.docker.com/)仓库该仓库由Docker公司维护。
和Github一样在Docker Hub创建公共仓库是免费的私人仓库就需要缴纳费用了。当然部署你自己的Docker仓库也是可以实现的事实上只需要简单地运行`docker run registry`命令就行了。但在这篇文章中,我们的重点将不是讲解如何部署一个定制的注册服务。
### 关闭并移除容器
在我们继续构建定制容器之前我们先清理Docker环境我们将关闭先前的容器并移除它。
我们利用`docker`命令和`run`选项运行一个容器,所以,为了停止该相同的容器,我们简单地在执行`docker`命令时,使用`kill`选项,并指定容器名。
```
# docker kill desperate_lalande
desperate_lalande
```
当我们再次执行`docker ps`,就不再有容器运行了
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
```
但是,此时,我们这是停止了容器;虽然它不再运行,但仍然存在。默认情况下,`docker ps`只会显示正在运行的容器,如果我们附加`-a` (all) 标识,它会显示所有运行和未运行的容器。
```
# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f6d31ab01fc9 5c82215b03d1 nginx -g 'daemon off 4 weeks ago Exited (-1) About a minute ago desperate_lalande
```
为了能完整地移除容器,我们在用`docker`命令时,附加`rm`选项。
```
# docker rm desperate_lalande
desperate_lalande
```
虽然容器被移除了;但是我们仍拥有可用的**nginx**镜像(译者注:镜像缓存)。如果我们重新运行`docker run -d nginx`Docker就无需再次拉取nginx镜像即可启动容器。这是因为我们本地系统中已经保存了一个副本。
为了列出系统中所有的本地镜像,我们运行`docker`命令,附加`images`选项。
```
# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
nginx latest 9fab4090484a 5 days ago 132.8 MB
```
## 构建我们自己的镜像
截至目前我们已经使用了一些基础的Docker命令来开启停止和移除一个预构建好的普通镜像。为了"Dockerize"这篇博客,我们需要构建我们自己的镜像,也就是创建一个**Dockerfile**。
在大多数虚拟机环境中如果你想创建一个机器镜像首先你需要建立一个新的虚拟机安装操作系统安装应用最后将其转换为一个模板或者镜像。但在Docker中所有这些步骤都可以通过Dockerfile实现全自动。Dockerfile是向Docker提供构建指令去构建定制镜像的方式。在这一章节我们将编写能用来部署这篇博客的定制Dockerfile。
### 理解应用
我们开始构建Dockerfile之前第一步要搞明白我们需要哪些东西来部署这篇博客。
博客本质上是由静态站点生成器生成的静态HTML页面这个静态站点是我编写的名为**hamerkop**。这个生成器很简单,它所做的就是生成该博客站点。所有的博客源码都被我放在了一个公共的[Github仓库](https://github.com/madflojo/blog)。为了部署这篇博客我们要先从Github仓库把博客内容拉取下来然后安装**Python**和一些**Python**模块,最后执行`hamerkop`应用。我们还需要安装**nginx**,来运行生成后的内容。
截止目前这些还是一个简单的Dockerfile但它却给我们展示了相当多的[Dockerfile语法]((https://docs.docker.com/v1.8/reference/builder/))。我们需要克隆Github仓库然后使用你最喜欢的编辑器编写Dockerfile我选择`vi`
```
# git clone https://github.com/madflojo/blog.git
Cloning into 'blog'...
remote: Counting objects: 622, done.
remote: Total 622 (delta 0), reused 0 (delta 0), pack-reused 622
Receiving objects: 100% (622/622), 14.80 MiB | 1.06 MiB/s, done.
Resolving deltas: 100% (242/242), done.
Checking connectivity... done.
# cd blog/
# vi Dockerfile
```
### FROM - 继承一个Docker镜像
第一条Dockerfile指令是`FROM`指令。这将指定一个现存的镜像作为我们的基础镜像。这也从根本上给我们提供了继承其他Docker镜像的途径。在本例中我们还是从刚刚我们使用的**nginx**开始,如果我们想重新开始,我们可以通过指定`ubuntu:latest`来使用**Ubuntu** Docker镜像。
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
```
除了`FROM`指令,我还使用了`MAINTAINER`它用来显示Dockerfile的作者。
Docker支持使用`#`作为注释我将经常使用该语法来解释Dockerfile的部分内容。
### 运行一次测试构建
因为我们继承了**nginx** Docker镜像我们现在的Dockerfile也就包括了用来构建**nginx**镜像的[Dockerfile](https://github.com/nginxinc/docker-nginx/blob/08eeb0e3f0a5ee40cbc2bc01f0004c2aa5b78c15/Dockerfile)中所有指令。这意味着此时我们可以从该Dockerfile中构建出一个Docker镜像然后从该镜像中运行一个容器。虽然最终的镜像和**nginx**镜像本质上是一样的但是我们这次是通过构建Dockerfile的形式然后我们将讲解Docker构建镜像的过程。
想要从Dockerfile构建镜像我们只需要在运行`docker`命令的时候,加上**build**选项。
```
# docker build -t blog /root/blog
Sending build context to Docker daemon 23.6 MB
Sending build context to Docker daemon
Step 0 : FROM nginx:latest
---> 9fab4090484a
Step 1 : MAINTAINER Benjamin Cane <ben@bencane.com>
---> Running in c97f36450343
---> 60a44f78d194
Removing intermediate container c97f36450343
Successfully built 60a44f78d194
```
上面的例子,我们使用了`-t` (**tag**)标识给镜像添加"blog"的标签。本质上我们只是在给镜像命名如果我们不指定标签就只能通过Docker分配的**Image ID**来访问镜像了。本例中从Docker构建成功的信息可以看出**Image ID**值为`60a44f78d194`。
除了`-t`标识外,我还指定了目录`/root/blog`。该目录被称作"构建目录"它将包含Dockerfile以及其他需要构建该容器的文件。
现在我们构建成功,下面我们开始定制该镜像。
### 使用RUN来执行apt-get
用来生成HTML页面的静态站点生成器是用**Python**语言编写的所以在Dockerfile中需要做的第一件定制任务是安装Python。我们将使用Apt包管理器来安装Python包这意味着在Dockerfile中我们要指定运行`apt-get update`和`apt-get install python-dev`;为了完成这一点,我们可以使用`RUN`指令。
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
## Install python and pip
RUN apt-get update
RUN apt-get install -y python-dev python-pip
```
如上所示我们只是简单地告知Docker构建镜像的时候要去执行指定的`apt-get`命令。比较有趣的是,这些命令只会在该容器的上下文中执行。这意味着,即使容器中安装了`python-dev`和`python-pip`,但主机本身并没有安装这些。说的更简单点,`pip`命令将只在容器中执行,出了容器,`pip`命令不存在。
还有一点比较重要的是Docker构建过程中不接受用户输入。这说明任何被`RUN`指令执行的命令必须在没有用户输入的时候完成。由于很多应用在安装的过程中需要用户的输入信息,所以这增加了一点难度。我们例子,`RUN`命令执行的命令都不需要用户输入。
### 安装Python模块
**Python**安装完毕后我们现在需要安装Python模块。如果在Docker外做这些事我们通常使用`pip`命令然后参考博客Git仓库中名叫`requirements.txt`的文件。在之前的步骤中,我们已经使用`git`命令成功地将Github仓库"克隆"到了`/root/blog`目录;这个目录碰巧也是我们创建`Dockerfile`的目录。这很重要因为这意味着Dokcer在构建过程中可以访问Git仓库中的内容。
当我们执行构建后Docker将构建的上下文环境设置为指定的"构建目录"。这意味着目录中的所有文件都可以在构建过程中被使用,目录之外的文件(构建环境之外)是不能访问的。
为了能安装需要的Python模块我们需要将`requirements.txt`从构建目录拷贝到容器中。我们可以在`Dockerfile`中使用`COPY`指令完成这一需求。
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
## Install python and pip
RUN apt-get update
RUN apt-get install -y python-dev python-pip
## Create a directory for required files
RUN mkdir -p /build/
## Add requirements file and run pip
COPY requirements.txt /build/
RUN pip install -r /build/requirements.txt
```
在`Dockerfile`中我们增加了3条指令。第一条指令使用`RUN`在容器中创建了`/build/`目录。该目录用来拷贝生成静态HTML页面需要的一切应用文件。第二条指令是`COPY`指令,它将`requirements.txt`从"构建目录"(`/root/blog`)拷贝到容器中的`/build/`目录。第三条使用`RUN`指令来执行`pip`命令;安装`requirements.txt`文件中指定的所有模块。
当构建定制镜像时,`COPY`是条重要的指令。如果在Dockerfile中不指定拷贝文件Docker镜像将不会包含requirements.txt文件。在Docker容器中所有东西都是隔离的除非在Dockerfile中指定执行否则容器中不会包括需要的依赖。
### 重新运行构建
现在我们让Docker执行了一些定制任务现在我们尝试另一次blog镜像的构建。
```
# docker build -t blog /root/blog
Sending build context to Docker daemon 19.52 MB
Sending build context to Docker daemon
Step 0 : FROM nginx:latest
---> 9fab4090484a
Step 1 : MAINTAINER Benjamin Cane <ben@bencane.com>
---> Using cache
---> 8e0f1899d1eb
Step 2 : RUN apt-get update
---> Using cache
---> 78b36ef1a1a2
Step 3 : RUN apt-get install -y python-dev python-pip
---> Using cache
---> ef4f9382658a
Step 4 : RUN mkdir -p /build/
---> Running in bde05cf1e8fe
---> f4b66e09fa61
Removing intermediate container bde05cf1e8fe
Step 5 : COPY requirements.txt /build/
---> cef11c3fb97c
Removing intermediate container 9aa8ff43f4b0
Step 6 : RUN pip install -r /build/requirements.txt
---> Running in c50b15ddd8b1
Downloading/unpacking jinja2 (from -r /build/requirements.txt (line 1))
Downloading/unpacking PyYaml (from -r /build/requirements.txt (line 2))
<truncated to reduce noise>
Successfully installed jinja2 PyYaml mistune markdown MarkupSafe
Cleaning up...
---> abab55c20962
Removing intermediate container c50b15ddd8b1
Successfully built abab55c20962
```
上述输出所示,我们可以看到构建成功了,我们还可以看到另外一个有趣的信息` ---> Using cache`。这条信息告诉我们Docker在构建该镜像时使用了它的构建缓存。
### Docker构建缓存
当Docker构建镜像时它不仅仅构建一个单独的镜像事实上在构建过程中它会构建许多镜像。从上面的输出信息可以看出在每一"步"执行后Docker都在创建新的镜像。
```
Step 5 : COPY requirements.txt /build/
---> cef11c3fb97c
```
上面片段的最后一行可以看出Docker在告诉我们它在创建一个新镜像因为它打印了**Image ID**;`cef11c3fb97c`。这种方式有用之处在于Docker能在随后构建**blog**镜像时将这些镜像作为缓存使用。这很有用处因为这样Docker就能加速同一个容器中新构建任务的构建流程。从上面的例子中我们可以看出Docker没有重新安装`python-dev`和`python-pip`包Docker则使用了缓存镜像。但是由于Docker并没有找到执行`mkdir`命令的构建缓存,随后的步骤就被一一执行了。
Docker构建缓存一定程度上是福音但有时也是噩梦。这是因为使用缓存或者重新运行指令的决定在一个很狭窄的范围内执行。比如如果`requirements.txt`文件发生了修改Docker会在构建时检测到该变化然后Docker会重新执行该执行那个点往后的所有指令。这得益于Docker能查看`requirements.txt`的文件内容。但是,`apt-get`命令的执行就是另一回事了。如果提供Python包的**Apt** 仓库包含了一个更新的python-pip包Docker不会检测到这个变化转而去使用构建缓存。这会导致之前旧版本的包将被安装。虽然对`python-pip`来说,这不是主要的问题,但对使用了某个致命攻击缺陷的包缓存来说,这是个大问题。
出于这个原因抛弃Docker缓存定期地重新构建镜像是有好处的。这时当我们执行Docker构建时我简单地指定`--no-cache=True`即可。
## 部署博客的剩余部分
Python包和模块安装后接下来我们将拷贝需要用到的应用文件然后运行`hamerkop`应用。我们只需要使用更多的`COPY` and `RUN`指令就可完成。
```
## Dockerfile that generates an instance of http://bencane.com
FROM nginx:latest
MAINTAINER Benjamin Cane <ben@bencane.com>
## Install python and pip
RUN apt-get update
RUN apt-get install -y python-dev python-pip
## Create a directory for required files
RUN mkdir -p /build/
## Add requirements file and run pip
COPY requirements.txt /build/
RUN pip install -r /build/requirements.txt
## Add blog code nd required files
COPY static /build/static
COPY templates /build/templates
COPY hamerkop /build/
COPY config.yml /build/
COPY articles /build/articles
## Run Generator
RUN /build/hamerkop -c /build/config.yml
```
现在我们已经写出了剩余的构建指令,我们再次运行另一次构建,并确保镜像构建成功。
```
# docker build -t blog /root/blog/
Sending build context to Docker daemon 19.52 MB
Sending build context to Docker daemon
Step 0 : FROM nginx:latest
---> 9fab4090484a
Step 1 : MAINTAINER Benjamin Cane <ben@bencane.com>
---> Using cache
---> 8e0f1899d1eb
Step 2 : RUN apt-get update
---> Using cache
---> 78b36ef1a1a2
Step 3 : RUN apt-get install -y python-dev python-pip
---> Using cache
---> ef4f9382658a
Step 4 : RUN mkdir -p /build/
---> Using cache
---> f4b66e09fa61
Step 5 : COPY requirements.txt /build/
---> Using cache
---> cef11c3fb97c
Step 6 : RUN pip install -r /build/requirements.txt
---> Using cache
---> abab55c20962
Step 7 : COPY static /build/static
---> 15cb91531038
Removing intermediate container d478b42b7906
Step 8 : COPY templates /build/templates
---> ecded5d1a52e
Removing intermediate container ac2390607e9f
Step 9 : COPY hamerkop /build/
---> 59efd1ca1771
Removing intermediate container b5fbf7e817b7
Step 10 : COPY config.yml /build/
---> bfa3db6c05b7
Removing intermediate container 1aebef300933
Step 11 : COPY articles /build/articles
---> 6b61cc9dde27
Removing intermediate container be78d0eb1213
Step 12 : RUN /build/hamerkop -c /build/config.yml
---> Running in fbc0b5e574c5
Successfully created file /usr/share/nginx/html//2011/06/25/checking-the-number-of-lwp-threads-in-linux
Successfully created file /usr/share/nginx/html//2011/06/checking-the-number-of-lwp-threads-in-linux
<truncated to reduce noise>
Successfully created file /usr/share/nginx/html//archive.html
Successfully created file /usr/share/nginx/html//sitemap.xml
---> 3b25263113e1
Removing intermediate container fbc0b5e574c5
Successfully built 3b25263113e1
```
### 运行定制的容器
成功的一次构建后,我们现在就可以通过运行`docker`命令和`run`选项来运行我们定制的容器和之前我们启动nginx容器一样。
```
# docker run -d -p 80:80 --name=blog blog
5f6c7a2217dcdc0da8af05225c4d1294e3e6bb28a41ea898a1c63fb821989ba1
```
我们这次又使用了`-d` (**detach**)标识来让Docker在后台运行。但是我们也可以看到两个新标识。第一个新标识是`--name`这用来给容器指定一个用户名称。之前的例子我们没有指定名称因为Docker随机帮我们生成了一个。第二个新标识是`-p`,这个标识允许用户从主机映射一个端口到容器中的一个端口。
之前我们使用的基础**nginx**镜像分配了80端口给HTTP服务。默认情况下容器内的端口通道并没有绑定到主机系统。为了让外部系统能访问容器内部端口我们必须使用`-p`标识将主机端口映射到容器内部端口。上面的命令,我们通过`-p 8080:80`语法将主机80端口映射到容器内部的80端口。
经过上面的命令,我们的容器似乎成功启动了,我们可以通过执行`docker ps`核实。
```
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d264c7ef92bd blog:latest nginx -g 'daemon off 3 seconds ago Up 3 seconds 443/tcp, 0.0.0.0:80->80/tcp blog
```
## 总结
截止目前我们拥有了正在运行的定制Docker容器。虽然在这篇文章中我们只接触了一些Dockerfile指令用法但是我们还是要讨论所有的指令。我们可以检查[Docker's reference page](https://docs.docker.com/v1.8/reference/builder/)来获取所有的Dockerfile指令用法那里对指令的用法说明得很详细。
另一个比较好的资源是[Dockerfile Best Practices page](https://docs.docker.com/engine/articles/dockerfile_best-practices/)它有许多构建定制Dockerfile的最佳练习。有些技巧非常有用比如战略性地组织好Dockerfile中的命令。上面的例子中我们将`articles`目录的`COPY`指令作为Dockerfile中最后的`COPY`指令。这是因为`articles`目录会经常变动。所以,将那些经常变化的指令尽可能地放在最后面的位置,来最优化那些可以被缓存的步骤。
通过这篇文章我们涉及了如何运行一个预构建的容器以及如何构建然后部署定制容器。虽然关于Docker你还有许多需要继续学习的地方但我想这篇文章给了你如何继续开始的好建议。当然如果你认为还有一些需要继续补充的内容在下面评论即可。
--------------------------------------
via:http://bencane.com/2015/12/01/getting-started-with-docker-by-dockerizing-this-blog/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+bencane%2FSAUo+%28Benjamin+Cane%29
作者Benjamin Cane
译者:[su-kaiyao](https://github.com/su-kaiyao)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出

31
sources/tech/20151214 Linux or Unix Desktop Fun--Christmas Tree For Your Terminal.md → translated/tech/20151214 Linux or Unix Desktop Fun--Christmas Tree For Your Terminal.md
View File

@ -1,15 +1,16 @@
Linux / Unix Desktop Fun: Christmas Tree For Your Terminal
Linux / Unix桌面之趣:终端上的圣诞树
================================================================================
Let us create Linux or Unix console Christmas tree just for fun and profit. First, you need to install a Perl module called Acme::POE::Tree. It is an animated Christmas tree module. I've tested this on Linux, OS X and Unix-like system.
给你的Linux或Unix控制台创造一棵圣诞树玩玩吧。在此之前需要先安装一个Perl模块命名为Acme::POE::Tree。这是一棵很喜庆的圣诞树我已经在Linux、OSX和类Unix系统上验证过了。
### Install Acme::POE::Tree ###
The easiest way to install any perl module is to use the cpan (Comprehensive Perl Archive Network). Open the terminal application and type the following command to install Acme::POE::Tree:
### 安装 Acme::POE::Tree ###
## run as root ##
安装perl模块最简单的办法就是使用cpanPerl综合典藏网。打开终端把下面的指令敲进去便可安装Acme::POE::Tree。
## 以root身份运行 ##
perl -MCPAN -e 'install Acme::POE::Tree'
**Sample outputs:**
**案例输出:**
Installing /home/vivek/perl5/man/man3/POE::NFA.3pm
Installing /home/vivek/perl5/man/man3/POE::Kernel.3pm
@ -42,21 +43,21 @@ The easiest way to install any perl module is to use the cpan (Comprehensive Per
RCAPUTO/Acme-POE-Tree-1.022.tar.gz
[dependencies] -- NA
### Show Christmas tree in the shell ###
### Shell中显示圣诞树 ###
Simply type the following command:
只需要在终端上运行以下命令:
perl -MAcme::POE::Tree -e 'Acme::POE::Tree->new()->run()'
**Sample outputs:**
**案例输出**
![Gif 01: An animated christmas tree in Perl](http://s0.cyberciti.org/uploads/cms/2015/12/perl-tree.gif)
Gif 01: An animated christmas tree in Perl
Gif 01: 一棵用Perl写的喜庆圣诞树
### Tree customization ###
### 树的定制 ###
Here is my tree.pl:
以下是我的脚本文件tree.pl的内容
#!/usr/bin/perl
@ -70,14 +71,14 @@ Here is my tree.pl:
);
$tree->run();
Now can play with your tree modifying star_delay, run_for, and light_delay. And ,there you have it a a Christmas tree in your shell for fun.
这样就可以通过修改star_delay、run_for和light_delay参数的值来自定义你的树了。一棵提供消遣的终端圣诞树就此诞生。
--------------------------------------------------------------------------------
via: http://www.cyberciti.biz/open-source/command-line-hacks/linux-unix-desktop-fun-christmas-tree-for-your-terminal/
作者Vivek Gite
译者:[译者ID](https://github.com/译者ID)
译者:[soooogreen](https://github.com/soooogreen)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

119
translated/tech/Learn with Linux/Learn with Linux--Learning to Type.md Normal file
View File

@ -0,0 +1,119 @@
Linux 教学之教你练打字
================================================================================
![](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-featured.png)
[Linux 学习系列][1]的所有文章:
- [Linux 教学之教你练打字][2]
- [Linux 教学之物理模拟][3]
- [Linux 教学之教你玩音乐][4]
- [Linux 教学之两款地理软件][5]
- [Linux 教学之掌握数学][6]
引言Linux 提供大量的教学软件和工具面向各个年级段以及年龄段提供大量学科的练习实践其中大多数是可以与用户进行交互的。本“Linux 教学”系列就来介绍一些教学软件。
很多人都要打字,操作键盘已经成为他们的第二天性。 但是这些人中有多少是依然使用两个手指头来快速地按键盘的即使学校有教我们使用键盘的方法LCTT 译注:呃。。。),我们也会慢慢地抛弃正确的打字姿势,养成只用两个大拇指玩键盘的习惯。
下面要介绍的两款软件可以帮你掌控你的键盘,然后你就可以让你的手指跟上你的思维,然后你的思维就不会被打断了。当然,还有很多更炫更酷的软件可供选择,但本文所选的这两款是最简单、最容易上手的。
### TuxType (或者叫 TuxTyping ###
TuxType 是给小孩子玩的。在一些有趣的游戏中,小学生们可以通过完成一些简单的练习来 get “10个手指打字”的新技能。
Debian 及其衍生版本(包含所有 Ubuntu 衍生版本)的标准软件仓库都有 TuxType使用下面的命令安装
sudo apt-get install tuxtype
软件开始时有一个简单的 Tux 界面和一段难听的 midi 音乐,幸运的是你可以通过右下角的喇叭按钮把声音调低了。(LCTT译注Tux 就是那只 Linux 吉祥物Linus 说它的表情被设计成刚喝完啤酒后的满足感见《Just For Fun》。)
![learntotype-tuxtyping-main](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-main.jpg)
最开始处的两个选项“Fish Cascade”和“Comet Zap”是打字游戏当你开始游戏时你需要很投入到这个课程。
第3个选项为“Lession”,提供40多个简单的课程每个课程会增加一个字母让你来练习练习过程中会给出一些提示比如应该用哪个手指按键盘上的字母。
![learntotype-tuxtyping-exd1](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-exd1.jpg)
![learntotype-tuxtyping-exd2](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-exd2.jpg)
更高级点的你可以练习输入句子。不知道为什么句子练习被放在“Options”选项里。LCTT 译注句子练习第一句是“The quick brown fox jumps over the lazy dog”包含了26个英文字母可用于检测键盘是否坏键也是练习英文打字的必备良药啊。
![learntotype-tuxtyping-phrase](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-phrase.jpg)
这个游戏让玩家打出单词来帮助 Tux 吃到小鱼或者干掉掉下来的流星,训练速度和精确度。
![learntotype-tuxtyping-fish](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-fish.jpg)
![learntotype-tuxtyping-zap](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-tuxtyping-zap.jpg)
除了练习有趣外,这些游戏还可以训练玩家的拼写、速度、手眼配合能力,因为你如果认真在玩的话,必须盯着屏幕,不看键盘打字。
### GNU typist (gtype) ###
对于成年人或有打字经验的人来说GNU Typist 可能更合适,它是一个 GNU 项目,基于控制台操作。
GNU Typist 也在大多数 Debian 衍生版本的软件库中,运行下面的命令来安装:
sudo apt-get install gtype
你估计不能在应用菜单里找到它,只能在终端界面上执行下面的命令来启动:
gtype
界面简单,没有废话,直接提供课程内容,玩家选择就是了。
![learntotype-gtype-main](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-main.png)
课程直截了当,内容详细。
![learntotype-gtype-lesson](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-lesson.png)
在交互练习的过程中,如果你输入错误,会将错误点高亮显示。不会像其他漂亮界面分散你的注意力,你可以专注于练习。每个课程的右下角都有一组统计数据来展示你的表现,如果你犯了很多错误,就可能无法通过关卡了。
![learntotype-gtype-mistake](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-mistake.png)
简单练习只需要你重复输入一些字符,而高阶练习需要你输入整个句子。
![learntotype-gtype-warmup](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-warmup.png)
下图的错误已经超过 3%,错误率太高了,你得降低些。
![learntotype-gtype-warmupfail](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-warmupfail.png)
一些训练用于完成特殊目标比如“平衡键盘训练LCTT 译注:感觉是用来练习手感的)”。
![learntotype-gtype-balanceddrill](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-balanceddrill.png)
下图是速度练习。
![learntotype-gtype-speed-simple](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-speed-simple.png)
下图是要你输入一段经典文章。
![learntotype-gtype-speed-advanced](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-speed-advanced.png)
如果你想练习其他语种,操作一下命令行参数就行。
![learntotype-gtype-more-lessons](https://www.maketecheasier.com/assets/uploads/2015/07/learntotype-gtype-more-lessons.png)
### 总结 ###
如果你想练练自己的打字水平Linux 上有很多软件给你用。本文介绍的两款软件界面简单但内容丰富,能满足绝大多数打字爱好者的需求。如果你正在使用、或者听说过其他的优秀打字练习软件,请在评论栏贴出来,让我们长长姿势。
--------------------------------------------------------------------------------
via: https://www.maketecheasier.com/learn-to-type-in-linux/
作者:[Attila Orosz][a]
译者:[bazz2](https://github.com/bazz2)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.maketecheasier.com/author/attilaorosz/
[1]:https://www.maketecheasier.com/series/learn-with-linux/
[2]:https://www.maketecheasier.com/learn-to-type-in-linux/
[3]:https://www.maketecheasier.com/linux-physics-simulation/
[4]:https://www.maketecheasier.com/linux-learning-music/
[5]:https://www.maketecheasier.com/linux-geography-apps/
[6]:https://www.maketecheasier.com/learn-linux-maths/

99
translated/tech/Learn with Linux/Learn with Linux--Two Geography Apps.md Normal file
View File

@ -0,0 +1,99 @@
Linux 教学之两款地理软件
================================================================================
![](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-featured.png)
[Linux 学习系列][1]的所有文章:
- [Linux 教学之教你练打字][2]
- [Linux 教学之物理模拟][3]
- [Linux 教学之教你玩音乐][4]
- [Linux 教学之两款地理软件][5]
- [Linux 教学之掌握数学][6]
引言Linux 提供大量的教学软件和工具面向各个年级段以及年龄段提供大量学科的练习实践其中大多数是可以与用户进行交互的。本“Linux 教学”系列就来介绍一些教学软件。
地理是一门有趣的学科,我们每天都能接触到,虽然可能没有意识到,但当你打开 GPS、SatNav 或谷歌地图时你就已经在使用这些软件提供的地理数据了当你在新闻中看到一个国家的消息或听到一些金融数据时这些信息都可以归于地理学范畴。Linux 提供了很多学习地理学的软件,可用于教学,也可用于自学。
### Kgeography ###
在多数 Linux 发行版的软件库中,只有两个与地理有关的软件,两个都属于 KDE 阵营,或者说都属于 KDE 教育项目。Kgeopraphy 使用简单的彩色编码图来绘制被选中的国家。
Ubuntu 及衍生版在终端执行下面命令安装软件:
sudo apt-get install kgeography
界面很简单,给你一个选择界面,你可以选择不同的国家。
![learn-geography-kgeo-pick](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-kgeo-pick.png)
点击地图上的某个区域,界面就会显示这个区域所在的国家和首都。
![learn-geography-kgeo-brit](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-kgeo-brit.png)
以及给出不同的测试题来检测你的知识水平。
![learn-geography-kgeo-test](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-kgeo-test.png)
这款软件以交互的方式测试你的地理知识,并且可以帮你为考试做好充足的准备。
### Marble ###
Marble 是一个稍微高级一点的软件,无需 3D 加速就能提供全球视角。
![learn-geography-marble-main](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-main.png)
在 Ubuntu 及衍生版的终端输入下面的命令来安装 Marble
sudo apt-get install marble
Marble 专注于地图绘制,它的主界面就是一张地图。
![learn-geography-marble-atlas](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-atlas.jpg)
你可以选择不同的投影方法比如球状投影和麦卡托投影LCTT 译注:把地球表面绘制在平面上的方法),在下拉菜单里你可以选择平面视角或外部视角,包括 Atlas 视角OpenStreetMap 提供的成熟的离线地图,
![learn-geography-marble-map](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-map.jpg)
以及卫星视角(由 NASA 提供),
![learn-geography-marble-satellite](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-satellite.jpg)
以及政治上甚至是历史上的世界地图。
![learn-geography-marble-history](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-history.jpg)
除了有包含不同界面和大量数据的离线地图Marble 还提供其他信息。你可以在菜单中打开或关闭不同的离线 info-boxes
![learn-geography-marble-offline](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-offline.png)
和在线的 online services。
![learn-geography-marble-online](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-online.png)
一个有趣的在线服务是维基百科,点击下 Wiki 图标,会弹出一个界面来展示你选中区域的详细信息。
![learn-geography-marble-wiki](https://www.maketecheasier.com/assets/uploads/2015/07/learn-geography-marble-wiki.png)
这款软件还提供定位追踪、路由规划、位置搜索和其他有用的功能。如果你喜欢地图学Marble 可以让你长时间享受探索和学习的乐趣。
### 总结 ###
Linux 提供大量优秀的教育软件,当然也包括地理学科。本文介绍的两款软件可以帮你学到很多地理知识,并且你可以以一种好玩的人机交互方式来测试你的知识量。
--------------------------------------------------------------------------------
via: https://www.maketecheasier.com/linux-geography-apps/
作者:[Attila Orosz][a]
译者:[bazz2](https://github.com/bazz2)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.maketecheasier.com/author/attilaorosz/
[1]:https://www.maketecheasier.com/series/learn-with-linux/
[2]:https://www.maketecheasier.com/learn-to-type-in-linux/
[3]:https://www.maketecheasier.com/linux-physics-simulation/
[4]:https://www.maketecheasier.com/linux-learning-music/
[5]:https://www.maketecheasier.com/linux-geography-apps/
[6]:https://www.maketecheasier.com/learn-linux-maths/